The "SAMEORIGIN" warning does not go away!

same story here

Are you behind a firewall or proxy?

then do a grep in the webroot of your installation:

grep -R SAMEORIGIN *

and open

~/core/doc/admin/_sources/release_notes.txt

i have this output :

grep -R SAMEORIGIN /var/www/html/cloud.georgemovila.com/

/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: msg: ‘The “X-Frame-Options” HTTP header is not set to “SAMEORIGIN”. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/tests/specs/setupchecksSpec.js: ‘X-Frame-Options’: ‘SAMEORIGIN’,
/var/www/html/cloud.georgemovila.com/core/js/setupchecks.js: ‘X-Frame-Options’: [‘SAMEORIGIN’, ‘DENY’],
/var/www/html/cloud.georgemovila.com/core/doc/admin/_sources/release_notes.txt: add_header X-Frame-Options "SAMEORIGIN";
/var/www/html/cloud.georgemovila.com/core/doc/admin/_sources/configuration_server/harden_server.txt:- X-Frame-Options: SAMEORIGIN
/var/www/html/cloud.georgemovila.com/core/doc/admin/release_notes.html:add_header X-Frame-Options “SAMEORIGIN”;
/var/www/html/cloud.georgemovila.com/core/doc/admin/configuration_server/harden_server.html:

X-Frame-Options: SAMEORIGIN

/var/www/html/cloud.georgemovila.com/lib/private/legacy/response.php: header(‘X-Frame-Options: SAMEORIGIN’); // Disallow iFraming from other domains
1 Like

This is what Google Chrome is telling about your http headers (by pressing F12):

Perhaps Cloudflare is the problem?

and what should i do because of this ?

I do not think so, because I do not use cloudflare, nextcloud is hosted on a shared hosting

As you can see in the screenshot above, the X-Frame-Options header is set twice, 1x from .htaccess and 1x from PHP. Obviously ~/lib/private/legacy/response.php is doing it.

I would contact Cloudflare support.

I will try contact them today, but don’t know what to ask them .

But maybe your hoster does?

1 Like

no, I asked technical support

I would send them the screenshot above and ask why the headers behind the CDN are not recognized by Nextcloud.

Which CDN or reverse proxy do they use?

I have not asked, surely it will be their private security system, they are a very large company

If you are using nginx then remove it:
https://docs.nextcloud.com/server/12/admin_manual/release_notes.html

1 Like

my hosting uses apache :sob:
I can not understand why this warning! It comforts me that it actually works

I have a similar situation, but self hosted. .htaccess includes the header line and my server config does it, too. So the server sets the header twice and I see the warning. I deleted it from .htaccess, because the server config is used for several subdomains and I do not want to have different configs for different subdomains.
I do not know if a double header line is a security risk. If not, and if your hoster cannot fix it, just ignore it …

1 Like

Hi All,
After reading so many posts her and there… What finally worked for me was to realize and make sure that there is only one “version” of sameorigin or SAME ORIGIN or noreferrer/and variations or strict origin/and variations in all your .htaccess and .conf (nextcloud-ssl.conf or any name you gave it). In my case I left only this:
Header always set Referrer-Policy “strict-origin-when-cross-origin”
In my nextcloud-le-ssl.conf under the /etc/apache2/sites-enabled directory.
Hope this help all of you.
Fernando

I had the same problem, you need to comment out the following from /etc/httpd/conf.d/ssl.conf
from
Header always set X-Frame-Options DENY
to
#Header always set X-Frame-Options DENY

for me it was changing the line:

Header always set X-Frame-Options DENY

to

# Header always set X-Frame-Options DENY

in

/etc/apache2/conf-enabled/ssl-params.conf

You guys can refer to /core/doc/admin/_sources/installation/nginx.rst.txt.
So change the line:
add_header X-Frame-Options “SAMEORIGIN” ;
to:
add_header X-Frame-Options “SAMEORIGIN” always;
in Nginx/site-cons/default

Nevertheless, scan.nextcloud.com shows a warning:

X-Frame-Options

The X-Frame-Options response header indicates whether a page can be iframed by other pages. An incorrect setting may allow so called “Clickjacking” attacks.

So, what can or should or must I do to avoid that warning?

[NC 17.0.0, PHP 7.3.11, NGINX 1.10.3, Raspbian 9.0]