X-Frame-Options in nginx to allow certain subdomain

Daniel Armando Rodriguez drodriguez at unau.edu.ar
Sat Nov 27 14:26:44 UTC 2021

El 2021-11-26 20:30, Francis Daly escribió:
> On Fri, Nov 26, 2021 at 04:04:46PM -0300, Daniel Armando Rodriguez 
> wrote:
>> El 2021-11-26 11:19, Francis Daly escribió:
>> > On Fri, Nov 26, 2021 at 08:43:58AM -0300, Daniel Armando Rodriguez
>> > wrote:
> Hi there,
>> > > One of them is a NextCloud + WOPI based LibreOffice Online Solution,
>> > > as such
>> > > it needs to access resources in WOPI server subdomain. What I need
>> > > is my
>> > > nginx to allow X-Frame-Options for WOPI server subdomain.
>> >
>> > It sounds like you want a request from the client, to have a specific
>> > header with a specific value in the response when being proxy_pass'ed
>> > through nginx.
>> Well, it's not a browser request but OxOffice Online one. Whith
>> X-Frame-Options set to SAMEORIGIN I can work, can edit documents,
>> spreadsheets and so on. The issue raises when doing a presentation as 
>> a new
>> browser window is displayed. And console says
>> chromewebdata/:1 Refused to display 'https://wopi.dominio.edu.ar/' in 
>> a
>> frame because it set 'X-Frame-Options' to 'sameorigin'.
> Ok, so a request to "wopi" currently includes 'X-Frame-Options 
> sameorigin'
> in the response; and you don't want that.
>> Nextcloud is hosted on it's own subdomain (cloud.dominio.edu.ar) and 
>> web services are consumed from wopi.dominio.edu.ar
>> > Can you show one request that you make, and the response that you get,
>> > and the response that you want to get instead?
>> If I disable X-Frame-Options set to SAMEORIGIN presentation appears as 
>> it
>> should, but I don't like the idea to dissallow X-Frame-Options just 
>> for one
>> service.
> I think that says that when you turn off X-Frame-Options for all 
> servers,
> the response from wopi does not include the header, and things work
> for you.
> Does "disable X-Frame-Options set to SAMEORIGIN" mean "have no
> X-Frame-Options at all"; or "have X-Frame-Options set to allow-from
> cloud"? (Or: something else?)

In this case, the former. Have no X-Frame-Options at all

> But you don't want to turn off X-Frame-Options for all servers. Are you
> happy to turn off X-Frame-Options for the wopi server?
> (I'm trying to find out, what is the specific response you want nginx
> to provide.)

If there's no way to bypass SAMEORIGIN for this specific server, could 
sleep turning off X-Frame-Options for the wopi server

> (I'm trying to find out, what is the specific response you want nginx
> to provide.)
>> > I suspect it is "the browser did not end up doing what I want"; but from
>> > an nginx perspective it would be easier if you could say "I want *this*
>> > response but I get *that* response". (What the browser does with the
>> > response is less interesting, from this viewpoint.)
>> > If you can show a complete-minimal config that shows the problem that
>> > you see, it may become clearer what changes are needed on the nginx
>> > side.
>> NextCloud Server =
>> https://pad.unau.edu.ar/p/r.12c074621fc8c7a6ab900a0899872dbf
>>      Wopi Server =
>> https://pad.unau.edu.ar/p/r.9b59663162dd956d7fe6604ba9e0870c
>>        Nginx SSL =
>> https://pad.unau.edu.ar/p/r.861b2c17a9ad10e0c741a0588065e317
> Based on the current words there, I think that any request to "wopi"
> will include the 5 response headers listed as "add_header" in the third
> link (including X-Frame-Options SAMEORIGIN); and any request to "cloud"
> will not include those 5 headers, but will include Front-End-Https and
> Strict-Transport-Security.
> Is that what you currently see; and is that what you want to see?
> (That is: X-Frame-Options is already turned off for "cloud".)
> (For example: "curl -I https://cloud.dominio.edu.ar/" will show the 
> headers.)

This are the headers

HTTP/2 200
server: nginx
date: Sat, 27 Nov 2021 12:50:25 GMT
content-type: text/html
content-length: 612
last-modified: Tue, 04 Dec 2018 14:52:24 GMT
etag: "5c0694a8-264"
strict-transport-security: max-age=63072000
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-robots-tag: none
accept-ranges: byte

> Based on that... I'm not sure what nginx behaviour you actually want.

What I need is wopi.domain xframe call allowed from cloud.domain

> One possible suggestion is:
> * remove the add_header X-Frame-Options line from ssl-params.conf
> * wherever you currently have "include ssl-params.conf", add the line
> 'add_header X-Frame-Options SAMEORIGIN;'
> * except in the "wopi" server, add the line 'add_header X-Frame-Options
> "allow-from whatever";'. Or maybe omit the line entirely.

Any way to do that the other way around?, I mean having SAMEORIGIN for 
all and just allow specific domain in one server config.

> (I suspect that "whatever" will be "the cloud url"; but it is "whatever
> chromewebdata wants to see". The header is irrelevant to nginx; only
> the thing reading it cares what it says.)
> Hopefully this will help point you towards the config that you want.

Currently playing aroung with CSP options... will see


  Daniel A. Rodriguez
_Informática, Conectividad y Sistemas_
Universidad Nacional del Alto Uruguay
San Vicente - Misiones - Argentina

More information about the nginx mailing list