X-Frame-Options "SAMEORIGIN": NC on nginx keeps warning me

Hello!

I am running NC 9.0.50 on a Debian system. Nginx is configured and working well. However, NC keeps warning me about this X-Frame-Options being not set up correctly:

Der „X-Frame-Options“-HTTP-Header ist nicht so konfiguriert, dass er „SAMEORIGIN“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.

(Sorry for the German sentence, I don’t have the English version ready to hand.)

But this line

add_header X-Frame-Options "SAMEORIGIN";

is present in /etc/nginx/sites-available/nextcloud inside the server section. I already tried to put it into nginx.conf, but that did not make this message disappear either. I have read tons of pages now, and all confirm that this line inside the site’s configuration should make this message disappear. But it does not.

I can’t remember seeing this error message before I updated version 9 to version 9.0.50. Furthermore, when I use a websniffer, I can see this line along the headers returned:

X-Frame-Options: Sameorigin

I am beginning to suspect that this is a bug. Can any one confirm this? Or does some one know a solution that I did not find yet?

Please post the output of curl -v https://cloud.nextcloud.com/ (obviously replace the domain name)

My suspicion is that your configuration adds this header multiple times.

Thanks for your answer. This is the result of a

curl -v https://mydomain -D tmp/nextcloud.txt:

HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Mon, 11 Jul 2016 21:11:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.6.22-0+deb8u1
Set-Cookie: ocukme27fk7o=49ebds2b2if9o27vgi5oh1gu63; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=e0jd5aY9wIZ9tT1XiXeajfUYjaqWb4QSLB1bZRZauJ3U8ZO2Eo%2BXt7SCuiXpExEYjxpmt3Me8N6yi%2F%2FYfB8usPULaK6PM0bP9Eptqc3CyAXyHZHuiJHGF6B909A9drlb; path=/; secure; httponly
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: Sameorigin
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Set-Cookie: nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Strict-Transport-Security: max-age=15768000; 
    includeSubdomains
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
X-Frame-Options: DENY

As you can see, there is only one header of that kind. I did a

grep -i "sameorigin /etc/* -R

and the only result I got was in /etc/nginx/snippets/ssl-params.conf:

add_header X-Frame-Options "SAMEORIGIN";

Then I did a

grep -i "sameorigin /var/www/* -R

and I got a few results, most of which inside some java files.

I commented the line in /etc/nginx/snippets/ssl-params.conf, but after restarting nginx the message still appeared. Then I put that line into /etc/nginx/sites-available/nextcloud, restarted nginx, but the message remained.

I’m afraid, I am out of options now. :frowning: The only option left for me now is to ignore the message given by NC, because obviously, this message is untrue: there is a header “X-Frame-Options: Sameorigin”, so how can NC tell me there isn’t?

It looks like X-Frame-Options: Sameorigin is present, but overridden with X-Frame-Options: DENY at the bottom, possibly some server-wide configuration adds that header?

Yes, the header has to be defined somewhere else, but where? Even more: is seems to be added twice without being set in any of nginx’s config files. As I said before: I deleted that line, it’s not present in any file in /etc/ngingx//, but still I get this message. This is really getting strange.

I noticed you only posted about grepping for “sameorigin”, maybe looking for the header with
fgrep -Ri "x-frame-options" /etc
will turn it up? (or maybe even look for “deny”, but that will probably turn up a lot of unrelated matches)

  1. Are you using one of those configs for nginx?
    https://docs.nextcloud.org/server/9/admin_manual/installation/nginx_nextcloud_9x.html

  2. Make sure to set ‘fastcgi_param modHeadersAvailable true;’ in the block regarding php

Hoping that helps…

Strange things happen… When I looked at the admin page again today, the warning was gone! I did not have time to fiddle about the server lately, so I can only guess that some update has solved the issue. There were a few new php packages that where updated within the last two days or so, so I guess one of these must have made the warning disappear.

But still: thanks for all your tips! :slight_smile:

I had the same issue on debian. It seems that the SAMEORIGIN header is already added to by the nginx configuration somewhere. When I remove it from the nextcloud server configuration it is still added and the error goes away.

3 Likes

You are right. REMOVING the add_header X-Frame-Options “SAMEORIGIN”; line did actually do the trick.

2 Likes

I have the same phenomenon here.
Arch Linux with nginx 1.12.1 and Nextcloud 12.0.2
The header isn’t set in any configuration files and seems to get added by default.

Any clues about why this happens?

Same here. Fedora 26 + nginx 1.12.1 + php-fpm 7.1.10 + Nextcloud 12.0.3

Seems like that lib/private/legacy/response.php (Line 260) adds also a security header so X-Frame-Options appears twice.

Hi @p7k

It’s a better idea to open a new thread and post your logs and configs together with your latest steps to solve this problem.
Most important please provide the output of
curl -v https://yourdomain.tld
in the new thread, so that we can see what headers your server currently sends.

Did somebody create a new topic? Didn’t find one, also don’t know why this old one should not still fit? At least you find this one, if you search for some pattern related to the issue.

Whatever, I just faced the same, while having ownCloud installed just beside Nextcloud on Nginx. ownCloud Nginx example config still servers the X-Frame-Options header, thus as explained above the error shows up.

Removing the header solved the warning, BUT actually the header is NOT served, at least does not show up on curl request:

curl -v http://192.168.178.24/nextcloud
*   Trying 192.168.178.24...
* TCP_NODELAY set
* Connected to 192.168.178.24 (192.168.178.24) port 80 (#0)
> GET /nextcloud HTTP/1.1
> Host: 192.168.178.24
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 302 Found
< Server: nginx
< Date: Sun, 19 Nov 2017 00:27:01 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Location: /nextcloud/
< Strict-Transport-Security: max-age=15768000; includeSubDomains; preload;
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Robots-Tag: none
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
<
* Curl_http_done: called premature == 0
* Connection #0 to host 192.168.178.24 left intact

It is served if given on Nginx config, but then error on admin panel shows up. So this for me looks like an error on Nextcloud side.

I just discovered that in NC 17 this header does have to be added in nginx config in order to get rid of the error message.

It seems that in NC 17 the second occurrence of this header has been eliminated.