X-Frame-Options in nginx to allow certain subdomain
Daniel Armando Rodriguez
drodriguez at unau.edu.ar
Fri Nov 26 19:04:46 UTC 2021
El 2021-11-26 11:19, Francis Daly escribió:
> On Fri, Nov 26, 2021 at 08:43:58AM -0300, Daniel Armando Rodriguez
> Hi there,
>> One of them is a NextCloud + WOPI based LibreOffice Online Solution,
>> as such
>> it needs to access resources in WOPI server subdomain. What I need is
>> nginx to allow X-Frame-Options for WOPI server subdomain.
> It sounds like you want a request from the client, to have a specific
> header with a specific value in the response when being proxy_pass'ed
> through nginx.
Well, it's not a browser request but OxOffice Online one. Whith
X-Frame-Options set to SAMEORIGIN I can work, can edit documents,
spreadsheets and so on. The issue raises when doing a presentation as a
new browser window is displayed. And console says
chromewebdata/:1 Refused to display 'https://wopi.dominio.edu.ar/' in a
frame because it set 'X-Frame-Options' to 'sameorigin'.
Nextcloud is hosted on it's own subdomain (cloud.dominio.edu.ar) and
WOPI web services are consumed from wopi.dominio.edu.ar
> Can you show one request that you make, and the response that you get,
> and the response that you want to get instead?
If I disable X-Frame-Options set to SAMEORIGIN presentation appears as
it should, but I don't like the idea to dissallow X-Frame-Options just
for one service.
> Possibly the browser "developer tools" console can show the network
> requests and responses; I suspect that you only care about the http
> response headers, not the response body.
>> My /etc/nginx/snippets/ssl-params.conf have the X-Frame-Options set to
>> I've tried adding following line to NC conf file with no luck:
>> proxy_hide_header X-Frame-Options
>> Also tried adding this line, with no luck either
>> add_header X-Frame-Options "allow-from https://WOPI-DOMAIN";
> What does "no luck" mean, here?
The refused to display 'https://wopi.dominio.edu.ar/
> I suspect it is "the browser did not end up doing what I want"; but
> an nginx perspective it would be easier if you could say "I want *this*
> response but I get *that* response". (What the browser does with the
> response is less interesting, from this viewpoint.)
> When it comes to nginx directives, adding things in one part of the
> config can "hide" or "override" things written elsewhere, for one
> "proxy_hide_header" means "if the proxy_pass response includes this
> header, do not send it to the client".
> "add_header" means "for certain response codes, send this header
> name/value in the response".
> suggests that "ALLOW-FROM" is in the set "Don't use it". You can have
> DENY or SAMEORIGIN, or you can use Content-Security-Policy instead.
> Whether your browser would do anything with an X-Frame-Options header,
> is entirely up to your browser. (If it would not do anything, then
> spending time configuring your nginx to send the header will not
> the browser.)
> If you can show a complete-minimal config that shows the problem that
> you see, it may become clearer what changes are needed on the nginx
NextCloud Server =
Wopi Server =
Nginx SSL =
Daniel A. Rodriguez
_Informática, Conectividad y Sistemas_
Universidad Nacional del Alto Uruguay
San Vicente - Misiones - Argentina
More information about the nginx