Remove SAMEORIGIN header from php files. #9141
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is *already* provided by the webserver software config (in my case NGINX). nextcloud install gives a false positive warning about X-frame options when doubled, like SAMEORIGIN. After commenting it out in this file, I get proper headers from nextcloud server: # curl -I https://next.jult.net HTTP/2 302 server: nginx date: Wed, 11 Apr 2018 08:13:28 GMT content-type: text/html; charset=UTF-8 location: https://next.jult.net/login set-cookie: ock5tdx30nt4=p8gtf93pg8if6uei3pfjs0hj93; path=/; secure; HttpOnly expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate pragma: no-cache set-cookie: oc_sessionPassphrase=seE5M%2BV2Qh%2Fvsjf%2FSwFp3M4oO6rV%2ByUbdexlOnuTEAbC7Tdgl8cdHp7xnP7XLi6LJ5G6u8RItWMn%2BcjCcI3IgOtoV2riO08XqZce8RDJPs4Paxi59x9socHNKwh2W982; path=/; secure; HttpOnly content-security-policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-YW9WbStyQkU4S1BXa2RUdk1RMmtJVG1nYWF4YnlWN2VBZ3ovazA2UUZaND06THJkV3ZQWUNuL2V5b0p6QWZVeWRZQUR3SnNrRHZDZWZSR0NRd2dEa2RNMD0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self'; set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict strict-transport-security: max-age=31536000; preload referrer-policy: no-referrer-when-downgrade content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block x-robots-tag: none x-download-options: noopen x-permitted-cross-domain-policies: none
|
You can replicate the erratic false positives by, for example, having your own nginx add-header config, add the nextcloud virtual server conf file (as provided in the Install docs) and then login to nextcloud server admin. You'll get warned about the headers NOT being there, while they're sent out twice! |
|
Please check out nextcloud/documentation#674 which allows to remove those headers from the request on the web server level instead of removing this for all the existing instances that rely on this. Could you try those updated config options please? Thanks |
And this is still wrong behavior and had some problems in setups in the past. So better fix and document it properly. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is already provided by the webserver software config (in my case NGINX). nextcloud server install webGUI gives false positive warnings about X-frame headers when it finds them double(?), like SAMEORIGIN. After commenting it out in this file, I get proper headers from my nextcloud server:
curl -I https://next.jult.net
HTTP/2 302
server: nginx
date: Wed, 11 Apr 2018 08:13:28 GMT
content-type: text/html; charset=UTF-8
location: https://next.jult.net/login
set-cookie: ock5tdx30nt4=p8gtf93pg8if6uei3pfjs0hj93; path=/; secure; HttpOnly
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: oc_sessionPassphrase=seE5M%2BV2Qh%2Fvsjf%2FSwFp3M4oO6rV%2ByUbdexlOnuTEAbC7Tdgl8cdHp7xnP7XLi6LJ5G6u8RItWMn%2BcjCcI3IgOtoV2riO08XqZce8RDJPs4Paxi59x9socHNKwh2W982; path=/; secure; HttpOnly
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-YW9WbStyQkU4S1BXa2RUdk1RMmtJVG1nYWF4YnlWN2VBZ3ovazA2UUZaND06THJkV3ZQWUNuL2V5b0p6QWZVeWRZQUR3SnNrRHZDZWZSR0NRd2dEa2RNMD0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
strict-transport-security: max-age=31536000; preload
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:;
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-robots-tag: none
x-download-options: noopen
x-permitted-cross-domain-policies: none