Welcome! Log In Create A New Profile

Advanced

Re: X-Frame-Options in nginx to allow certain subdomain

Francis Daly
November 26, 2021 09:22AM
On Fri, Nov 26, 2021 at 08:43:58AM -0300, Daniel Armando Rodriguez wrote:

Hi there,

> One of them is a NextCloud + WOPI based LibreOffice Online Solution, as such
> it needs to access resources in WOPI server subdomain. What I need is my
> nginx to allow X-Frame-Options for WOPI server subdomain.

It sounds like you want a request from the client, to have a specific
header with a specific value in the response when being proxy_pass'ed
through nginx.

Can you show one request that you make, and the response that you get,
and the response that you want to get instead?

Possibly the browser "developer tools" console can show the network
requests and responses; I suspect that you only care about the http
response headers, not the response body.

> My /etc/nginx/snippets/ssl-params.conf have the X-Frame-Options set to
> SAMEORIGIN.
>
> I've tried adding following line to NC conf file with no luck:
>
> proxy_hide_header X-Frame-Options
>
> Also tried adding this line, with no luck either
>
> add_header X-Frame-Options "allow-from https://WOPI-DOMAIN";

What does "no luck" mean, here?

I suspect it is "the browser did not end up doing what I want"; but from
an nginx perspective it would be easier if you could say "I want *this*
response but I get *that* response". (What the browser does with the
response is less interesting, from this viewpoint.)

When it comes to nginx directives, adding things in one part of the
config can "hide" or "override" things written elsewhere, for one request.

"proxy_hide_header" means "if the proxy_pass response includes this
header, do not send it to the client".

"add_header" means "for certain response codes, send this header
name/value in the response".

However...

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
suggests that "ALLOW-FROM" is in the set "Don't use it". You can have
DENY or SAMEORIGIN, or you can use Content-Security-Policy instead.

Whether your browser would do anything with an X-Frame-Options header,
is entirely up to your browser. (If it would not do anything, then
spending time configuring your nginx to send the header will not benefit
the browser.)


If you can show a complete-minimal config that shows the problem that
you see, it may become clearer what changes are needed on the nginx side.

Cheers,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

X-Frame-Options in nginx to allow certain subdomain

drodriguez November 26, 2021 06:46AM

Re: X-Frame-Options in nginx to allow certain subdomain

Francis Daly November 26, 2021 09:22AM

Re: X-Frame-Options in nginx to allow certain subdomain

drodriguez November 26, 2021 02:06PM

Re: X-Frame-Options in nginx to allow certain subdomain

Francis Daly November 26, 2021 06:32PM

Re: X-Frame-Options in nginx to allow certain subdomain

drodriguez November 27, 2021 09:28AM

Re: X-Frame-Options in nginx to allow certain subdomain

Francis Daly November 30, 2021 03:18PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 56
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready