Nextcloud version: 14.0.3
Operating system and version: Ubuntu 18.10
Apache or nginx version: Apache 2.4.37
PHP version: 7.2
The issue you are facing:
Yesterday I visited the “Settings -> Overview” page on my Nextcloud instance and was surprised to see the warning “X-Frame-Options not set to SAMEORIGIN”.
I’m not sure when this warning started to show up but I am sure it didn’t when I did the upgrade to 14.0.3.
I also switched from PHP apache module to using PHP fpm recently but I didn’t check before the change so I’m not sure if this might be related.
I’ve done a bit of troubleshooting already but I just can’t figure out what’s wrong. So here’s a bit of background information:
- My apache server is configured to always include the X-Frame-Options header (I serve a few other apps on the same vhost so I figured it’s easier to just add it there)
- The header is duplicated even if I remove the instruction from my vhost file to set it
- I grepped every single conf file to find any “rogue” header instructions but there are none and indeed if I remove the one from my vhost, the header is not set at all for other sites I serve on the same vhost except for Nextcloud where it remains duplicated
- I created a test.php file and added several headers using PHP’s header command and those headers only appear once
- When I comment out
/lib/private/legacy/response.php:97: header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains
Everything is working as expected (no warning if I have the instruction to set the header in my vhost file and a warning if I remove it)
This seems very odd to me and I didn’t find any bugs or forum posts describing exactly this scenario so I though I’d ask here first before logging a bug in case someone has an idea what is wrong with my setup.