X-Frame-Option header set twice

Nextcloud version: 14.0.3
Operating system and version: Ubuntu 18.10
Apache or nginx version: Apache 2.4.37
PHP version: 7.2

The issue you are facing:
Yesterday I visited the “Settings -> Overview” page on my Nextcloud instance and was surprised to see the warning “X-Frame-Options not set to SAMEORIGIN”.
I’m not sure when this warning started to show up but I am sure it didn’t when I did the upgrade to 14.0.3.
I also switched from PHP apache module to using PHP fpm recently but I didn’t check before the change so I’m not sure if this might be related.

I’ve done a bit of troubleshooting already but I just can’t figure out what’s wrong. So here’s a bit of background information:

  • My apache server is configured to always include the X-Frame-Options header (I serve a few other apps on the same vhost so I figured it’s easier to just add it there)
  • The header is duplicated even if I remove the instruction from my vhost file to set it
  • I grepped every single conf file to find any “rogue” header instructions but there are none and indeed if I remove the one from my vhost, the header is not set at all for other sites I serve on the same vhost except for Nextcloud where it remains duplicated
  • I created a test.php file and added several headers using PHP’s header command and those headers only appear once
  • When I comment out
    /lib/private/legacy/response.php:97: header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains
    Everything is working as expected (no warning if I have the instruction to set the header in my vhost file and a warning if I remove it)

This seems very odd to me and I didn’t find any bugs or forum posts describing exactly this scenario so I though I’d ask here first before logging a bug in case someone has an idea what is wrong with my setup.


1 Like

Update: Still no idea why the headers are duplicated but at least I managed to fix it without having to monkey around in nextcloud code so for anyone who might have similar issues here’s how I fixed it:

Instead of just having

Header set X-Frame-Options SAMEORIGIN

in my vhost I replaced it with

Header unset X-Frame-Options
Header set X-Frame-Options SAMEORIGIN

And it works just fine again. I’m still puzzled as to where the second header is coming from and in case I ever find out I will update this topic. In the mean time if anyone has an idea what else I could check I would appreciate that.

There is also the Header always set directive, which is served via different table, as well if the request fails. Both directives (with and without always) do not replace each other.

The .htaccess inside Nextcloud directory contains the Header as well, which might be the reason for duplication. Will check which method to use where to assure the Header is set inside and outside Nextcloud page, if desired.

€: Okay just rechecked and tried to remember when I faced this issue:

  • Actually this is just an issue in combination with PHP-FPM, at least on my Apache + mod_php server, I can set the header without any warning, being served then for all websites.

  • I faced the issue with Nginx + PHP-FPM: X-Frame-Options "SAMEORIGIN": NC on nginx keeps warning me
    As you can see, at least within this thread, no solution was found so far, besides disabling the setting server wide. Still not sure if it is actually enabled for Nextcloud then, since curl reports nothing about the header, or if Nextcloud scans wrong, but:

  • I remember that I read somewhere that the header is set by PHP(-FPM) already.

  • And btw, X-Frame-Options is also the only security header, no contained in Nextclouds .htaccess:

    <IfModule mod_env.c>
      # Add security and privacy related headers
      Header set X-Content-Type-Options "nosniff"
      Header set X-XSS-Protection "1; mode=block"
      Header set X-Robots-Tag "none"
      Header set X-Download-Options "noopen"
      Header set X-Permitted-Cross-Domain-Policies "none"
      SetEnv modHeadersAvailable true

Perhaps you meant only adding (to the vhost file):

Header unset X-Frame-Options

This seems to work for me.

Thanks for pointing out the file within NextCloud that sets SAMEORIGIN again. It would be nice if this could be an option added only if the webserver doesn’t already have it enabled.

For all of you using nginx and having this issue with the duplicated header by response.php. Just add this to your nginx config to remove the one added by nextcloud:

fastcgi_hide_header X-Frame-Options;
proxy_hide_header X-Frame-Options;

The first one should be enough but you know… better safe than sorry :wink:

Or I assume it is safe to completely remove this header from the nginx config as it is not present in the official config example neither.

Edit: X-Frame-Options is back in the documentation for version 17 of nextcloud.