X-Frame-Options set two times #10280
Comments
|
GitMate.io thinks possibly related issues are #543 (X-Frame-Options set to Deny issues a security warning), #5246 (X-Frame-Options headers conflicting values), #4863 (X-Frame-Option DENY - NGINX), #3318 (Misleading error message regarding X-Frame-Options), and #3808 (Nextcloud complains if X-Frame-Options is too 'secure'). |
|
I can confirm that all issues that the bot found are related. Possible solution from my point of view is that Nextcloud is not adding headers which are added through the webserver. This solution would fit all needs. You want to increase the strength, fine, you want to decrease the strength, not fine but the configuration of a webserver is most of the time chosen wisely, so I guess also fine... |
|
Of course if the webserver is not supplying a header then it is fine if Nextcloud is adding it. |
|
Just for reference, the linked PR solves the issue on Apache by unsetting the headers on "onsuccess" table and add them to "always" table only via This kind of issue due to two separate header tables on Apache2 is not present on other webserver. |
Steps to reproduce
Expected behaviour
I did expect that Nextcloud either not double sets the "X-Frame-Options: SAMEORIGIN" or that there is at least no warning at the admin dashboard.
Actual behaviour
On the admin dashboard there is appearing the warning that the "X-Frame-Options: SAMEORIGIN" is not set.
Server configuration
Operating system: Ubuntu 16.04
Web server: Apache2
Database: MariaDB
PHP version: 7.2.7
Nextcloud version: 13.0.4
Updated from an older Nextcloud/ownCloud or fresh install: Yes
Where did you install Nextcloud from: Official downloadserver as a ZIP
Signing status:
Signing status
No errors have been found.List of activated apps:
App list
Nextcloud configuration:
Config report
{ "system": { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "nextcloud.*.de" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "overwrite.cli.url": "https:\/\/nextcloud.*****.de", "dbtype": "mysql", "version": "13.0.4.0", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "ldapIgnoreNamingRules": false, "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory", "htaccess.RewriteBase": "\/", "memcache.local": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 6379 }, "memcache.locking": "\\OC\\Memcache\\Redis", "maintenance": false, "theme": "", "loglevel": 2, "updater.release.channel": "stable", "mail_smtpmode": "smtp", "mail_smtpauthtype": "LOGIN", "mail_smtpsecure": "ssl", "mail_smtpauth": 1, "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "465", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***" } }Are you using external storage, if yes which one: No, internal only
Are you using encryption: No
Are you using an external user-backend, if yes which one: OpenLDAP
LDAP configuration (delete this part if not used)
LDAP config
Client configuration
Browser: Firefox
Operating system: Ubuntu/Windows
Logs
Web server error log
Web server error log
No errors present.Nextcloud log (data/nextcloud.log)
Nextcloud log
Not relevantBrowser log
Browser log
Not relevantThe text was updated successfully, but these errors were encountered: