Forum List Message List New Topic Print View

Francis Daly

November 26, 2021 09:22AM

On Fri, Nov 26, 2021 at 08:43:58AM -0300, Daniel Armando Rodriguez wrote:

Hi there,

> One of them is a NextCloud + WOPI based LibreOffice Online Solution, as such
> it needs to access resources in WOPI server subdomain. What I need is my
> nginx to allow X-Frame-Options for WOPI server subdomain.

It sounds like you want a request from the client, to have a specific
header with a specific value in the response when being proxy_pass'ed
through nginx.

Can you show one request that you make, and the response that you get,
and the response that you want to get instead?

Possibly the browser "developer tools" console can show the network
requests and responses; I suspect that you only care about the http
response headers, not the response body.

> My /etc/nginx/snippets/ssl-params.conf have the X-Frame-Options set to
> SAMEORIGIN.
>
> I've tried adding following line to NC conf file with no luck:
>
> proxy_hide_header X-Frame-Options
>
> Also tried adding this line, with no luck either
>
> add_header X-Frame-Options "allow-from https://WOPI-DOMAIN";

What does "no luck" mean, here?

I suspect it is "the browser did not end up doing what I want"; but from
an nginx perspective it would be easier if you could say "I want *this*
response but I get *that* response". (What the browser does with the
response is less interesting, from this viewpoint.)

When it comes to nginx directives, adding things in one part of the
config can "hide" or "override" things written elsewhere, for one request.

"proxy_hide_header" means "if the proxy_pass response includes this
header, do not send it to the client".

"add_header" means "for certain response codes, send this header
name/value in the response".

However...

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
suggests that "ALLOW-FROM" is in the set "Don't use it". You can have
DENY or SAMEORIGIN, or you can use Content-Security-Policy instead.

Whether your browser would do anything with an X-Frame-Options header,
is entirely up to your browser. (If it would not do anything, then
spending time configuring your nginx to send the header will not benefit
the browser.)

If you can show a complete-minimal config that shows the problem that
you see, it may become clearer what changes are needed on the nginx side.

Cheers,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
X-Frame-Options in nginx to allow certain subdomain	drodriguez	November 26, 2021 06:46AM
Re: X-Frame-Options in nginx to allow certain subdomain	Francis Daly	November 26, 2021 09:22AM
Re: X-Frame-Options in nginx to allow certain subdomain	drodriguez	November 26, 2021 02:06PM
Re: X-Frame-Options in nginx to allow certain subdomain	Francis Daly	November 26, 2021 06:32PM
Re: X-Frame-Options in nginx to allow certain subdomain	drodriguez	November 27, 2021 09:28AM
Re: X-Frame-Options in nginx to allow certain subdomain	Francis Daly	November 30, 2021 03:18PM