X-Frame-Options in nginx to allow certain subdomain

Francis Daly francis at daoine.org
Tue Nov 30 20:17:31 UTC 2021

On Sat, Nov 27, 2021 at 11:26:44AM -0300, Daniel Armando Rodriguez wrote:
> El 2021-11-26 20:30, Francis Daly escribió:
> > On Fri, Nov 26, 2021 at 04:04:46PM -0300, Daniel Armando Rodriguez
> > wrote:
> > > El 2021-11-26 11:19, Francis Daly escribió:
> > > > On Fri, Nov 26, 2021 at 08:43:58AM -0300, Daniel Armando Rodriguez
> > > > wrote:

Hi there,

> > Ok, so a request to "wopi" currently includes 'X-Frame-Options sameorigin'
> > in the response; and you don't want that.

> > But you don't want to turn off X-Frame-Options for all servers. Are you
> > happy to turn off X-Frame-Options for the wopi server?
> If there's no way to bypass SAMEORIGIN for this specific server, could sleep
> turning off X-Frame-Options for the wopi server

I think I'm still a bit confused about what you starting point is,
and what your desired end result is.

(The desired end result is "it works"; I'm unclear about what the nginx
output should be when "it works".)

Perhaps there is a confusion of terminology? Let's say:

* there is one nginx service, which uses the config file plus included

* within that service, there are multiple servers -- each server{}
block within the http{} block is a server. They can be identified by
server_name, for example.

Using those terms: what is the response that you want for each request?

As an extra level of detail, within each server, there are multiple
locations -- each location{} block within the server{} block is another
set of configuration directives.

(Often, each "location" is a url-prefix, and different prefixes are
proxy_pass'ed to different back-end (or upstream) servers.)

Each request to the nginx service will be handled in one server, and
then in one location in that server.

And you control the configuration per location.

So you *can* set whatever headers you want, differently in each location
in one server, and differently for each server in the service.

> > > NextCloud Server =
> > > https://pad.unau.edu.ar/p/r.12c074621fc8c7a6ab900a0899872dbf
> > >      Wopi Server =
> > > https://pad.unau.edu.ar/p/r.9b59663162dd956d7fe6604ba9e0870c
> > >        Nginx SSL =
> > > https://pad.unau.edu.ar/p/r.861b2c17a9ad10e0c741a0588065e317

> > Based on the current words there, I think that any request to "wopi"
> > will include the 5 response headers listed as "add_header" in the third
> > link (including X-Frame-Options SAMEORIGIN); and any request to "cloud"
> > will not include those 5 headers, but will include Front-End-Https and
> > Strict-Transport-Security.
> > 
> > Is that what you currently see; and is that what you want to see?
> > 
> > (That is: X-Frame-Options is already turned off for "cloud".)
> > 
> > (For example: "curl -I https://cloud.dominio.edu.ar/" will show the
> > headers.)
> This are the headers
> HTTP/2 200
> server: nginx
> date: Sat, 27 Nov 2021 12:50:25 GMT
> content-type: text/html
> content-length: 612
> last-modified: Tue, 04 Dec 2018 14:52:24 GMT
> etag: "5c0694a8-264"
> strict-transport-security: max-age=63072000
> x-frame-options: SAMEORIGIN
> x-content-type-options: nosniff
> x-xss-protection: 1; mode=block
> x-robots-tag: none
> accept-ranges: byte

In your provided config, the "cloud" server has "location /"
with two add_header directives for Front-End-Https and for
Strict-Transport-Security; and it has a "proxy_hide_header

I do not understand how that configuration can lead to this response.

(This response includes headers set in the "SSL" file; but they should
not be used in this request.)

Is there any chance that the configuration currently being used is
different from the configuration shown at those pad.unau.edu.ar urls?

> > Based on that... I'm not sure what nginx behaviour you actually want.
> What I need is wopi.domain xframe call allowed from cloud.domain

I think that means that some requests to the "wopi" server should include
a specific X-Frame-Options header in the response.

Maybe it means *all* requests to the wopi server should include that?

In the config provided, the "wopi" server has six "location"s (plus
whatever is in the included files). There is not a "location /", so any
requests that do not match the explicit location{}s will use the default.

There are no add_header directives in any of the location{}s, so each
will use the values inherited from server-level -- which is "from the
SSL file", in this case.

> > One possible suggestion is:
> > 
> > * remove the add_header X-Frame-Options line from ssl-params.conf
> > * wherever you currently have "include ssl-params.conf", add the line
> > 'add_header X-Frame-Options SAMEORIGIN;'
> > * except in the "wopi" server, add the line 'add_header X-Frame-Options
> > "allow-from whatever";'. Or maybe omit the line entirely.
> Any way to do that the other way around?, I mean having SAMEORIGIN for all
> and just allow specific domain in one server config.


That is what that config suggests, no? Add SAMEORIGIN for most; add
domain for one server.

If you mean something like "keep SAMEORIGIN in the common file"; then yes,
you can do that -- but then the server that wants a different header will
have to "add_header" for all of the headers that it wants to add; not
just the X-Frame-Options that it wants to be different from the others.

That is how nginx config is inherited.

Pick whichever option you prefer.

Good luck with it,

Francis Daly        francis at daoine.org

More information about the nginx mailing list