X-Frame-Options in nginx to allow certain subdomain

Daniel Armando Rodriguez drodriguez at unau.edu.ar
Fri Nov 26 19:04:46 UTC 2021

El 2021-11-26 11:19, Francis Daly escribió:
> On Fri, Nov 26, 2021 at 08:43:58AM -0300, Daniel Armando Rodriguez 
> wrote:
> Hi there,
>> One of them is a NextCloud + WOPI based LibreOffice Online Solution, 
>> as such
>> it needs to access resources in WOPI server subdomain. What I need is 
>> my
>> nginx to allow X-Frame-Options for WOPI server subdomain.
> It sounds like you want a request from the client, to have a specific
> header with a specific value in the response when being proxy_pass'ed
> through nginx.

Well, it's not a browser request but OxOffice Online one. Whith 
X-Frame-Options set to SAMEORIGIN I can work, can edit documents, 
spreadsheets and so on. The issue raises when doing a presentation as a 
new browser window is displayed. And console says

chromewebdata/:1 Refused to display 'https://wopi.dominio.edu.ar/' in a 
frame because it set 'X-Frame-Options' to 'sameorigin'.

Nextcloud is hosted on it's own subdomain (cloud.dominio.edu.ar) and 
WOPI web services are consumed from wopi.dominio.edu.ar

> Can you show one request that you make, and the response that you get,
> and the response that you want to get instead?

If I disable X-Frame-Options set to SAMEORIGIN presentation appears as 
it should, but I don't like the idea to dissallow X-Frame-Options just 
for one service.

> Possibly the browser "developer tools" console can show the network
> requests and responses; I suspect that you only care about the http
> response headers, not the response body.
>> My /etc/nginx/snippets/ssl-params.conf have the X-Frame-Options set to
>> I've tried adding following line to NC conf file with no luck:
>> proxy_hide_header X-Frame-Options
>> Also tried adding this line, with no luck either
>> add_header X-Frame-Options "allow-from https://WOPI-DOMAIN";
> What does "no luck" mean, here?

The refused to display 'https://wopi.dominio.edu.ar/

> I suspect it is "the browser did not end up doing what I want"; but 
> from
> an nginx perspective it would be easier if you could say "I want *this*
> response but I get *that* response". (What the browser does with the
> response is less interesting, from this viewpoint.)
> When it comes to nginx directives, adding things in one part of the
> config can "hide" or "override" things written elsewhere, for one 
> request.
> "proxy_hide_header" means "if the proxy_pass response includes this
> header, do not send it to the client".
> "add_header" means "for certain response codes, send this header
> name/value in the response".
> However...
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
> suggests that "ALLOW-FROM" is in the set "Don't use it". You can have
> DENY or SAMEORIGIN, or you can use Content-Security-Policy instead.
> Whether your browser would do anything with an X-Frame-Options header,
> is entirely up to your browser. (If it would not do anything, then
> spending time configuring your nginx to send the header will not 
> benefit
> the browser.)
> If you can show a complete-minimal config that shows the problem that
> you see, it may become clearer what changes are needed on the nginx 
> side.
> Cheers,


NextCloud Server = 
      Wopi Server = 
        Nginx SSL = 


  Daniel A. Rodriguez
_Informática, Conectividad y Sistemas_
Universidad Nacional del Alto Uruguay
San Vicente - Misiones - Argentina

More information about the nginx mailing list