X-Frame-Options in nginx to allow certain subdomain

Francis Daly francis at daoine.org
Fri Nov 26 14:19:08 UTC 2021

On Fri, Nov 26, 2021 at 08:43:58AM -0300, Daniel Armando Rodriguez wrote:

Hi there,

> One of them is a NextCloud + WOPI based LibreOffice Online Solution, as such
> it needs to access resources in WOPI server subdomain. What I need is my
> nginx to allow X-Frame-Options for WOPI server subdomain.

It sounds like you want a request from the client, to have a specific
header with a specific value in the response when being proxy_pass'ed
through nginx.

Can you show one request that you make, and the response that you get,
and the response that you want to get instead?

Possibly the browser "developer tools" console can show the network
requests and responses; I suspect that you only care about the http
response headers, not the response body.

> My /etc/nginx/snippets/ssl-params.conf have the X-Frame-Options set to
> I've tried adding following line to NC conf file with no luck:
> proxy_hide_header X-Frame-Options
> Also tried adding this line, with no luck either
> add_header X-Frame-Options "allow-from https://WOPI-DOMAIN";

What does "no luck" mean, here?

I suspect it is "the browser did not end up doing what I want"; but from
an nginx perspective it would be easier if you could say "I want *this*
response but I get *that* response". (What the browser does with the
response is less interesting, from this viewpoint.)

When it comes to nginx directives, adding things in one part of the
config can "hide" or "override" things written elsewhere, for one request.

"proxy_hide_header" means "if the proxy_pass response includes this
header, do not send it to the client".

"add_header" means "for certain response codes, send this header
name/value in the response".


suggests that "ALLOW-FROM" is in the set "Don't use it". You can have
DENY or SAMEORIGIN, or you can use Content-Security-Policy instead.

Whether your browser would do anything with an X-Frame-Options header,
is entirely up to your browser. (If it would not do anything, then
spending time configuring your nginx to send the header will not benefit
the browser.)

If you can show a complete-minimal config that shows the problem that
you see, it may become clearer what changes are needed on the nginx side.


Francis Daly        francis at daoine.org

More information about the nginx mailing list