Display external websites directly in your Nextcloud dashboard with customizable widgets
- Embed any website in your Nextcloud dashboard using iframes
- Multiple widget types: Public (admin-configured), Personal (user-configured), and Group-based widgets
- 5 public widget slots for admin-configured widgets visible to all users
- 5 group widget slots for group-specific content delivery
- 1 personal widget per user for individual customization
- Custom icons via Simple Icons using
si:prefix (3000+ brand icons) - Icon color picker for custom icon colors
- Adjustable iframe height or automatic sizing
- Extra-wide display option (spans 2 dashboard columns)
- Configurable iframe security with sandbox and allow attribute customization
- Hide widget header by leaving title empty
- Multi-language support with 15 translations
Future planned features:
- 3-column widget size option
- Refresh button and auto-refresh timer
- Additional language translations
- Enhanced widget management UI (drag & drop, categories)
Widget in Dashboard
Admin Settings
Configure public widgets from Settings β Administration β iFrame Widget:
| Setting | Description |
|---|---|
| Widget Title | Display title (leave empty to hide header) |
| Widget Icon | Icon using si: prefix (e.g., si:github) |
| Icon Color | Custom hex color for the icon |
| URL to Display | The website URL to embed |
| iFrame Height | Fixed height in pixels or auto (default) |
| iFrame Sandbox | Security sandbox attributes for the iframe |
| iFrame Allow | Feature policy (e.g., microphone camera fullscreen) |
| Extra Wide | Span two dashboard columns |
Public widgets appear on all users' dashboards.
Each user can configure their own widget from Settings β Personal β iFrame Widget:
- Same configuration options as public widgets
- Visible only to the user who configured it
- Independent from admin-configured widgets
Create widgets for specific user groups from Settings β Administration β iFrame Widget:
- Scroll to "Group-based iFrame Widgets" section
- Select a group from the dropdown
- Configure widget settings (same options as public widgets)
- Save to make the widget visible to group members
You can configure up to 5 group widgets. Each widget can target a different user group.
The app provides a slot-based architecture:
| Widget Type | Slots Available | Visibility |
|---|---|---|
| Public | 5 slots | All users |
| Group | 5 slots | Members of selected group |
| Personal | 1 slot per user | Individual user only |
Users can enable any combination of these widgets on their dashboard using the "+" customization button.
This widget uses Simple Icons for brand icons:
si:iconname
Examples:
si:github- GitHub iconsi:youtube- YouTube iconsi:nextcloud- Nextcloud iconsi:slack- Slack icon
Browse 3000+ available icons at simpleicons.org.
- Nextcloud 30, 31, 32, or 33
- Website must allow iframe embedding (some sites block this)
- CSP configuration may be required for external domains
Currently supported languages:
| Language | Code | Language | Code |
|---|---|---|---|
| English | en | Portuguese | pt |
| German | de | Brazilian Portuguese | pt_BR |
| French | fr | Chinese (Simplified) | zh_CN |
| Spanish | es | Japanese | ja |
| Italian | it | Czech | cs |
| Dutch | nl | Swedish | sv |
| Russian | ru | Norwegian BokmΓ₯l | nb |
| Polish | pl |
Contribute translations via the translation guide.
Nextcloud restricts iframe embedding by default. This app now adjusts CSP via the Nextcloud PHP CSP API based on the configured widget URLs, which avoids conflicting CSP headers from the web server.
Important: Do not add a second CSP header in Apache/Nginx for
frame-src. Browsers apply the most restrictive policy when multiple CSP headers are present, which can still block your iframe.
Some websites explicitly block iframe embedding using X-Frame-Options: DENY or frame-ancestors: 'none'. These sites cannot be embedded regardless of your CSP configuration. Consider using the External Sites app with redirect option instead.
Version 0.9.0 adds customizable iframe security attributes:
Controls iframe restrictions. Default: allow-same-origin allow-scripts allow-popups allow-forms
Common values:
allow-same-origin- Allow same-origin policyallow-scripts- Allow JavaScript executionallow-popups- Allow popupsallow-forms- Allow form submissionallow-modals- Allow modal dialogs
Controls browser feature access. Default: empty (no additional permissions)
Common values for VOIP/video apps:
microphone- Microphone accesscamera- Camera accessfullscreen- Fullscreen modeautoplay- Media autoplaydisplay-capture- Screen capture
Example for a VOIP application:
microphone camera fullscreen
- Embedded websites operate in their own security context
- Use trusted sources for embedded content
- The sandbox attribute provides additional isolation
- CSP configuration is managed server-side for security
- Add the widget using the "+" button in dashboard customization
- Check browser console for JavaScript errors
- Verify the app is enabled:
php occ app:list | grep iframe
Try these solutions:
# Clear Nextcloud cache
php occ maintenance:mode --on
php occ memcache:clear
php occ maintenance:mode --off
# Restart web server (Apache)
sudo systemctl restart apache2
# Or for Nginx
sudo systemctl restart nginx
sudo systemctl restart php-fpm
# Re-enable the app
php occ app:disable iframewidget
php occ app:enable iframewidget| Type | Configured By | Visible To |
|---|---|---|
| Public | Administrator | All users |
| Personal | Individual user | That user only |
| Group | Administrator | Members of selected group |
All types can be used simultaneously. Users add widgets to their dashboard via the "+" customization button.
If this project helps you, consider supporting this and future work, which heavily relies on coffee:
This project is licensed under the AGPL-3.0-or-later license.
- Simple Icons - Used for widget icons
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}