XF 1.5 header X-Frame-Options: SAMEORIGIN twice

dbembibre

dbembibre

Active member
I migrate from xf 1.2 to xf1.5 recently. I have a strange problem, is possible that xenforo send a x-frame-options header ?
If i get the http headers of other page that is not xenforo i dont have the x-frame-options twice. I check all my nginx configuration files and only found one header declaration.

Code: 
Content-Type: text/html; charset=UTF-8
nginx

Content-Length: 106321
Connection: keep-alive
Vary: Accept-Encoding
Cache-control: private, max-age=0

Set-Cookie: xf_session=xxxxx; path=/; secure; httponly

X-Frame-Options: SAMEORIGIN

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
x-xss-protection: 1; mode=block
X-Content-Type-Options: nosniff

x-frame-options: SAMEORIGIN

Content-Security-Policy: default-src 'self' https://pagead2.googlesyndication.com; script-src 'self' data: 'unsafe-inline' 'unsafe-eval' https://pagead2.googlesyndication.com https://secure.gravatar.com;  font-src 'self' data: https://fonts.googleapis.com https://fonts.gstatic.com https://themes.googleusercontent.com https://www.gstatic.com; connect-src 'self' https://fonts.gstatic.com https://pagead2.googlesyndication.com; media-src 'self' data: https://ssl.gstatic.com; object-src 'self' https://fonts.gstatic.com https://pagead2.googlesyndication.com https://www.gstatic.com; child-src 'self'; frame-src 'self' https://googleads.g.doubleclick.net gsa://onpageload https://onpageload https://secure.gravatar.com https://tpc.googlesyndication.com ; worker-src 'self'; frame-ancestors 'self'; form-action 'self'; upgrade-insecure-requests; report-uri https://cspviolations.report-uri.io/r/default/csp/enforce


Thanks a lot
 
Sort by date Sort by votes
XF implemented "click jacking" protection in XF 1.2 (so you should have already had that). With that enabled (which it is by default) we will send a X-Frame-Options SAMEORIGIN header. But we should only send it once.
 
Upvote 0 Downvote
Mike said:
There are a lot of non-standard headers there, so I have to guess that you have something adding it outside of XF.
Click to expand...

Yes are the headers that my nginx configuration has.
Great thanks to the @Chris D post I found in help that i can disable the click jacking in config.php and control my header via nginx configuration that is i do. Sorry for my misunderstanding I'm member of this forum from the beginning but dont remember nothing about the click jacking option. (n) now only have one x-frame-options header once deactivate the option in xenforo config file.

Thanks a lot and sorry again :LOL:
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

shimspedy
  • Question Question
XF 2.0 i need help on how to add X-Frame-Options
Replies
2
Views
790
Arty
Arty
S
  • Question Question
XF 1.4 X-Frame-Options
Replies
3
Views
776
Optic
Optic
Back
Top Bottom