Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How do I remove warning "The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN"? #24129

Open
tchap2 opened this issue Nov 14, 2020 · 16 comments
Open

How do I remove warning "The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN"? #24129

tchap2 opened this issue Nov 14, 2020 · 16 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap 25-feedback

Comments

@tchap2
Copy link

tchap2 commented Nov 14, 2020
edited by kesselb

Running NC19 in docker on UNRAID OS. nginx came embedded in NC with docker installation
In Settings-> overview this shows:

The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

Can someone explain how to solve this?

Explanation at #8207 seems like philosophical debate and is not helpful at all. Solutions are contradicting.

What is the name of the file that must be edited, where is this file located (full path), and where within the file must "SAMEORIGIN" be added? What is the exact syntax?

image
@tchap2 tchap2 added 0. Needs triage Pending check for reproducibility or if it fits our roadmap bug labels Nov 14, 2020
@solracsf
Copy link
Member

Duplicate of nextcloud/docker#928 ?

@army1349
Copy link
Contributor

It seems like X-Frame-Options is obsolete anyway.

@szaimen
Copy link
Contributor

szaimen commented Jun 17, 2021

Is this still happen on NC21.0.2 with the correct nginx configuration?
https://docs.nextcloud.com/server/stable/admin_manual/installation/nginx.html?highlight=nginx

@ghost
Copy link

ghost commented Jul 17, 2021

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.

@ghost ghost added the stale Ticket or PR with no recent activity label Jul 17, 2021
@pojlFDlxCOvZ4Kg8y1l4
Copy link

something something this shouldnt even be checked anymore

@szaimen the option works with NC 21.0.2 and 21.0.3, but I have it disabled to embed it and use frame-ancestors since those allow for it, and are not obsolete.

@ghost ghost removed the stale Ticket or PR with no recent activity label Jul 18, 2021
@ghost
Copy link

ghost commented Aug 17, 2021

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.

@ghost ghost added the stale Ticket or PR with no recent activity label Aug 17, 2021
@pojlFDlxCOvZ4Kg8y1l4
Copy link

pojlFDlxCOvZ4Kg8y1l4 commented Aug 17, 2021 via email

@ghost ghost removed the stale Ticket or PR with no recent activity label Aug 17, 2021
@szaimen szaimen added 1. to develop Accepted and waiting to be taken care of and removed needs info 0. Needs triage Pending check for reproducibility or if it fits our roadmap labels Sep 15, 2021
@themactep themactep mentioned this issue Oct 29, 2021
Closed
@szaimen
Copy link
Contributor

szaimen commented Jan 23, 2023

Hi, please update to 24.0.9 or better 25.0.3 and report back if it fixes the issue. Thank you!

My goal is to add a label like e.g. 25-feedback to this ticket of an up-to-date major Nextcloud version where the bug could be reproduced. However this is not going to work without your help. So thanks for all your effort!

If you don't manage to reproduce the issue in time and the issue gets closed but you can reproduce the issue afterwards, feel free to create a new bug report with up-to-date information by following this link: https://github.com/nextcloud/server/issues/new?assignees=&labels=bug%2C0.+Needs+triage&template=BUG_REPORT.yml&title=%5BBug%5D%3A+

@szaimen szaimen added needs info 0. Needs triage Pending check for reproducibility or if it fits our roadmap and removed 1. to develop Accepted and waiting to be taken care of labels Jan 23, 2023
@tchap2
Copy link
Author

tchap2 commented Jan 29, 2023

@ szaimen

I just updated to 25.0.3, and the "The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN" is still there.

Solutions in nextcloud User Guide DO NOT WORK!

Can someone please ut an end to this non-sense and explain STEP-BY-STEP exactly WHERE, WHAT needs to be changed? It's ridiculous that after so many years of complaining, this is the ONLY ERROR that cannot be fixed on nextcloud.

@tchap2 tchap2 mentioned this issue Jan 29, 2023
Closed
9 tasks
@szaimen
Copy link
Contributor

szaimen commented Jan 29, 2023

If you need help with your setup, see https://help.nextcloud.com

@bitdruid
Copy link

bitdruid commented Feb 15, 2023
edited

If you need help with your setup, see https://help.nextcloud.com

this is still not resolved.
my nginx is properly configured for reverse proxy and the neccessary headers - e.g.

server {
. . .
        add_header X-Content-Type-Options               "nosniff" always;
        add_header X-Frame-Options                      "SAMEORIGIN" always;
. . .
}

only works if i remove them but i dont want to set these headers again for each of my /location blocks
and i also think its more secure to let that handle the server and not the application.

nextcloud sends its own headers?! according to https://securityheaders.com/
i'm getting two responses with enabled header and only one response if i turn them off.

would be useful if there would be just a config-tag to turn off that behaviour.

edit:

avoid warnings with

location ^~ /pathtonx/ {
. . .
                proxy_hide_header X-Content-Type-Options;
                proxy_hide_header X-Frame-Options;
                proxy_hide_header X-Robots-Tag;
                proxy_hide_header X-Permitted-Cross-Domain-Policies;
. . .
}

but this still don't gives control to the server

@danktankk
Copy link

I get this error as well after updating to 25.04

@jaseinny
Copy link

I too ran into this issue with version 25.0.3. After updating to 25.0.4 the warning is still there. Are the any updates on fixing this issue?

@MichaIng
Copy link
Member

Are there any negatives of this header? Old browsers which do not understand/respect CSP do benefit from it. And CSP rules are set in PHP, so can be (intentionally or unintentionally) unset by webserver configs. The X-Frame-Options header on the other hand is set via .htaccess which overrides all webserver configs, hence is assured to be passed (by this Apache2 instance).

I'm all in for removing really obsolete headers, but in this case I think it should stay, at least until browser start to drop support for it (currently all browsers support/respect it).

@MichaIng MichaIng removed the bug label Mar 24, 2023
@tcitworld
Copy link
Member

There are cases where we want to control it's value:
https://github.com/nextcloud/calendar/blob/6b7517fcf5e605bdb9749af4e15c8e5a6b36548a/lib/Controller/PublicViewController.php#L101

@MichaIng
Copy link
Member

MichaIng commented Nov 3, 2023

First of all, at least with Apache webserver this cannot work, as with the shipped .htaccess, the header is overwritten by the webserver, regardless what the backend sets. And changing the .htaccess or disabling it leads to integrity check or other errors. Secondly, this would be set for a particular page here, not the one checked by the setup checks. So in any case, this does affect the setup check.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap 25-feedback
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make duplicate HTTP headers pass the checking.
10 participants
@tcitworld @solracsf @MichaIng @army1349 @danktankk @jaseinny @szaimen @pojlFDlxCOvZ4Kg8y1l4 @bitdruid @tchap2