Office Online Server editing does not work when Cloudflare DNS/WAF is used

Original Question or Issue:

Office Online Server editing doesn't work when Cloudflare DNS/WAF is used

Environment:

• Product - Any
• Version - Any
• Platform - Any

Steps to Reproduce:

Route the traffic to on-prem Office Online server via Cloudflare.

Error or Log Message:

Trying to edit files using Office Online will show an error. The browser developer console will show an error Header set X-Frame-Options is set to 'SAMEORIGIN' and Office Online URL is not allowed to load.

Defect or Enhancement Number:

Cause:

Resolution or Workaround:

Checked Cloudflare for specific "Response Header Transform Rules" or "Managed Transforms" have "Add security headers" enabled. This needs to be overridden with some custom content security rules to allow cross scripting with FileCloud URL in your Cloudflare, based on your organizations Cloudflare policies.

This may not be caused by an issue at the FileCloud .htaccess file. If the browser console shows errors related to default-src or SAMEORIGIN, please make sure the Office Online server URL is added to default-src and frame-ancestors in the .htaccess file.

Example: 

Header set Content-Security-Policy: "default-src 'self' oos.filecloudlabs.com ........ \
    connect-src ............... \
    style-src ................. \
    script-src .................. \
    font-src ..................... \
    img-src ....................... \
    frame-ancestors 'self' oos.filecloudlabs.com ............ \
    worker-src ................."

Notes: