The "SAMEORIGIN" warning does not go away!

Which version of Nextcloud?

i have just instaled the latest version downloaded from nextcloud.com

Which webserver do you use and which PHP version?

i’m using : # httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built: Jun 27 2018 13:48:59

php -v

PHP 7.1.21 (cli) (built: Aug 25 2018 14:37:09) ( NTS )
Copyright © 1997-2018 The PHP Group
Zend Engine v3.1.0, Copyright © 1998-2018 Zend Technologies
with Zend OPcache v7.1.21, Copyright © 1999-2018, by Zend Technologies

I ran the test and X-Frame-Options SAMEORIGIN is active! But nextcloud keeps going me wrong

Php 7.2.8

same story here

Are you behind a firewall or proxy?

then do a grep in the webroot of your installation:

grep -R SAMEORIGIN *

and open

~/core/doc/admin/_sources/release_notes.txt

i have this output :

grep -R SAMEORIGIN /var/www/html/cloud.georgemovila.com/

/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: msg: ‘The “X-Frame-Options” HTTP header is not set to “SAMEORIGIN”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/setupchecks.js: ‘X-Frame-Options’: [‘SAMEORIGIN’, ‘DENY’],
/var/www/html/cloud.georgemovila.com/core/doc/admin/_sources/release_notes.txt: add_header X-Frame-Options "SAMEORIGIN";
/var/www/html/cloud.georgemovila.com/core/doc/admin/_sources/configuration_server/harden_server.txt:- X-Frame-Options: SAMEORIGIN
/var/www/html/cloud.georgemovila.com/core/doc/admin/release_notes.html:add_header X-Frame-Options “SAMEORIGIN”;
/var/www/html/cloud.georgemovila.com/core/doc/admin/configuration_server/harden_server.html:

X-Frame-Options: SAMEORIGIN

/var/www/html/cloud.georgemovila.com/lib/private/legacy/response.php: header(‘X-Frame-Options: SAMEORIGIN’); // Disallow iFraming from other domains
1 Like

This is what Google Chrome is telling about your http headers (by pressing F12):

Perhaps Cloudflare is the problem?

and what should i do because of this ?

I do not think so, because I do not use cloudflare, nextcloud is hosted on a shared hosting

As you can see in the screenshot above, the X-Frame-Options header is set twice, 1x from .htaccess and 1x from PHP. Obviously ~/lib/private/legacy/response.php is doing it.

I would contact Cloudflare support.

I will try contact them today, but don’t know what to ask them .

But maybe your hoster does?

1 Like

no, I asked technical support

I would send them the screenshot above and ask why the headers behind the CDN are not recognized by Nextcloud.

Which CDN or reverse proxy do they use?

I have not asked, surely it will be their private security system, they are a very large company

If you are using nginx then remove it:
https://docs.nextcloud.com/server/12/admin_manual/release_notes.html

1 Like

my hosting uses apache :sob:
I can not understand why this warning! It comforts me that it actually works

I have a similar situation, but self hosted. .htaccess includes the header line and my server config does it, too. So the server sets the header twice and I see the warning. I deleted it from .htaccess, because the server config is used for several subdomains and I do not want to have different configs for different subdomains.
I do not know if a double header line is a security risk. If not, and if your hoster cannot fix it, just ignore it …

1 Like