Setting X-Frame-Origin


#1

I have an issue with some functionality I need to use in an application I’m testing on Cloud9. According to its help forum, to overcome this I need to set X-Frame-Origin to SAMEHOST, and I can’t see how to do this. I’m using the standard Apache/PHP workspace setup.

How can I set this header?


#2
  • I’ve run sudo a2enmod in my workspace to enable mod_headers
  • In /etc/apache2/conf.enabled, there is a symlink to security.conf.
  • security.conf contains the line 'append X-FRAME-OPTIONS “SAMEORIGIN” ’ This line was originally commented out, but I’ve removed the ‘#’.
  • I’ve restarted Apache after the changes above

As far as I can see, these changes should lead to the server providing a header line “X-Frame-Options: SAMEORIGIN”, but no such header line appears.

I’m not aware of any other changes required to enable this, and I don’t seem to be the only one wanting to do this - there are couple of other topics on this subject, but there are no answers!

Does anyone know what the issue is?


#3

Can you try adding this to the conf:
Header always append X-Frame-Options SAMEORIGIN
If that doesn’t work, try adding this to the .htaccess file in the workspace directory:
Header append X-FRAME-OPTIONS "SAMEORIGIN"
Then use something like the Postman extension to test it.


#4

Thanks for replying!

  1. I added the line to /etc/apache2/conf-available/security.conf, and restarted Apache. This is the output in postman:

    Access-Control-Allow-Headers →Content-Type, X-Requested-With, x-request-metadata
    Access-Control-Allow-Methods →GET, OPTIONS, PUT, POST, DELETE, HEAD, PROPFIND, PATCH
    Access-Control-Allow-Origin →*
    Access-Control-Expose-Headers →x-content-length, x-metadata-length
    Access-Control-Max-Age →8640000
    Content-Type →text/html
    Date →Thu, 20 Oct 2016 20:51:23 GMT
    Strict-Transport-Security →max-age=31536000
    Transfer-Encoding →chunked
    X-BACKEND →oldclient
    X-Frame-Options →DENY
    cache-control →no-transform

    …So that didn’t work. Looking at it afterwards, the same line is actually already in /etc/apache2/apache.conf!

  2. I commented that back out, and instead added the suggested line to .htaccess. I still get exactly the same output.

Just to be sure, here’s the output of apachectl -M:

Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 filter_module (shared)
 headers_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 negotiation_module (shared)
 php5_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 status_module (shared)

…so mod-headers is definitely enabled; I just can’t seem to get it to send this header!

I’ve also done
grep -ir frame *
in the apache2 directory, and it returns this:

apache2.conf:Header always append X-Frame-Options SAMEORIGIN
conf-available/security.conf:# site as frames. This defends against clickjacking attacks.
conf-available/security.conf:#Header set X-Frame-Options: "sameorigin"
conf-available/security.conf:Header always append X-Frame-Options SAMEORIGIN
magic:# frame:  file(1) magic for FrameMaker files
magic:# This stuff came on a FrameMaker demo tape, most of which is
magic:0 string          \<MakerFile     application/x-frame
magic:0 string          \<MIFFile       application/x-frame
magic:0 string          \<MakerDictionary       application/x-frame
magic:0 string          \<MakerScreenFon        application/x-frame
magic:0 string          \<MML           application/x-frame
magic:0 string          \<Book          application/x-frame
magic:0 string          \<Maker         application/x-frame

…so the right text is in there.

What can I try next?


#5

Hmmm, not sure, could you post the workspace link here so I could take a look at it myself?


#6

It’s at https://ide.c9.io/daldred/ctest.

It’s a private workspace, so I’ve shared access with you.

Thanks for your help.


#7

Hi - did you manage to look at this?

If not (and if you can’t do so now) I’ll remove the sharing, just on general principles!


#8

I’m so sorry, yes I did look at it and try out a few things, but unfortunately I couldn’t get it to work. Hope you’ll be able to figure it out, sorry I couldn’t do more.