X frame options set

jjpet · September 30, 2017, 6:55pm

The “X-Frame-Options” HTTP header is not configured to equal to “SAMEORIGIN”.

nextcloud v12.03 on debian with nginx.

curl output;
HTTP/2 302
server: nginx/1.13.3
date: Sat, 30 Sep 2017 18:52:11 GMT
content-type: text/html; charset=UTF-8
location: https://xxxxxxxxxxxxxxxxxx
set-cookie: oczl9sqcvubw=id1p6parkfmmtnh4mn9o8ra3h0; path=/; HttpOnly
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: oc_sessionPassphrase=IBnzOGscqsZBGPGAlfk5yOhW5sttLlNHeFSGaZlgq%2FKnd50om%2BYWBw5ACQHCmmeadXlvAlIZpFgk4C%2BOTxiqkBiI4oxXFWF4ZcKgmtxn%2BnPF4WX7TIuAAR0sOg417oVe; path=/; secure; HttpOnly
content-security-policy: default-src ‘self’; script-src ‘self’ ‘unsafe-eval’ ‘nonce-RzVSNlJQcHROUTRNd29zWVJvd0ZaRmx6WGxNZXpqSElQYjlkSkJ3RjQrST06VjZFK2Q0OGdiejBuaTg5c0xMeDFKMkF5T3lKVi9HaUZiY28wUldSejBLMD0=’; style-src ‘self’ ‘unsafe-inline’; frame-src *; img-src * data: blob:; font-src ‘self’ data:; media-src *; connect-src *; object-src ‘none’; base-uri ‘self’;
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-robots-tag: none
x-download-options: noopen
x-permitted-cross-domain-policies: none
set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
strict-transport-security: max-age=63072000; includeSubdomains; preload
content-security-policy: upgrade-insecure-requests

jospoortvliet · October 1, 2017, 10:58am

Try to be more concrete in your question

You see this in the logs? In the browser? It is a security related issue, I think, like you get when embedding content on another page. What are you trying to do?

jjpet · October 1, 2017, 5:46pm

of course, my apologies; this occurs in the admin section of nextcloud, on the basic settings page, under “Security & setup warnings”

I originally had this and other related header settings in nginx which lead to double headers. and the security and setup warnings displayed errors for all of the double header entries. Upon removing the nginx header entries all warnings were resolved except this one.

I am trying to make all warnings in the admin/security and setup warnings page “go away”.

not sure why i am receiving this warning when the headesr show the x-frame sameorigin

Bernie_O · October 1, 2017, 6:10pm

Apparently removing the x-frame-header from the nginx website configuration removes the warning from the admin-section. The header seems to be added by Nextcloud anyway:

jjpet · October 1, 2017, 6:21pm

currently nginx is not setting the x-frame header option.