New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How do I remove warning "The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN"? #24129
Comments
Duplicate of nextcloud/docker#928 ? |
It seems like X-Frame-Options is obsolete anyway. |
Is this still happen on NC21.0.2 with the correct nginx configuration? |
This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions. |
something something this shouldnt even be checked anymore @szaimen the option works with NC 21.0.2 and 21.0.3, but I have it disabled to embed it and use |
This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions. |
Hello,
it would be awesome if this bug could be fixed :>
Sent from Nine<http://www.9folders.com/>
…________________________________
From: "nextcloud-stale[bot]" ***@***.***>
Sent: Tuesday, August 17, 2021 22:53
To: nextcloud/server
Cc: pojlFDlxCOvZ4Kg8y1l4; Comment
Subject: Re: [nextcloud/server] How do I remove warning "The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN"? (#24129)
This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#24129 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AKFNXMWM5Z3H5BXIYXZHMJ3T5LD55ANCNFSM4TVJ3QJQ>.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email>.
|
Hi, please update to 24.0.9 or better 25.0.3 and report back if it fixes the issue. Thank you! My goal is to add a label like e.g. 25-feedback to this ticket of an up-to-date major Nextcloud version where the bug could be reproduced. However this is not going to work without your help. So thanks for all your effort! If you don't manage to reproduce the issue in time and the issue gets closed but you can reproduce the issue afterwards, feel free to create a new bug report with up-to-date information by following this link: https://github.com/nextcloud/server/issues/new?assignees=&labels=bug%2C0.+Needs+triage&template=BUG_REPORT.yml&title=%5BBug%5D%3A+ |
@ szaimen I just updated to 25.0.3, and the "The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN" is still there. Solutions in nextcloud User Guide DO NOT WORK! Can someone please ut an end to this non-sense and explain STEP-BY-STEP exactly WHERE, WHAT needs to be changed? It's ridiculous that after so many years of complaining, this is the ONLY ERROR that cannot be fixed on nextcloud. |
If you need help with your setup, see https://help.nextcloud.com |
this is still not resolved.
only works if i remove them but i dont want to set these headers again for each of my /location blocks nextcloud sends its own headers?! according to https://securityheaders.com/ would be useful if there would be just a config-tag to turn off that behaviour. edit:avoid warnings with
but this still don't gives control to the server |
I get this error as well after updating to 25.04 |
I too ran into this issue with version 25.0.3. After updating to 25.0.4 the warning is still there. Are the any updates on fixing this issue? |
Are there any negatives of this header? Old browsers which do not understand/respect CSP do benefit from it. And CSP rules are set in PHP, so can be (intentionally or unintentionally) unset by webserver configs. The I'm all in for removing really obsolete headers, but in this case I think it should stay, at least until browser start to drop support for it (currently all browsers support/respect it). |
There are cases where we want to control it's value: |
First of all, at least with Apache webserver this cannot work, as with the shipped |
Running NC19 in docker on UNRAID OS. nginx came embedded in NC with docker installation
In Settings-> overview this shows:
The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
Can someone explain how to solve this?
Explanation at #8207 seems like philosophical debate and is not helpful at all. Solutions are contradicting.
What is the name of the file that must be edited, where is this file located (full path), and where within the file must "SAMEORIGIN" be added? What is the exact syntax?
The text was updated successfully, but these errors were encountered: