Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

X-Frame-Options header set to empty value #10167

Closed
powerriegel opened this issue May 20, 2016 · 15 comments · Fixed by #11358
Closed

X-Frame-Options header set to empty value #10167

powerriegel opened this issue May 20, 2016 · 15 comments · Fixed by #11358
Labels
Bug For errors / faults / flaws / inconsistencies etc. Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement.
Milestone

Comments

@powerriegel
Copy link

powerriegel commented May 20, 2016

Hello,
I'm running Piwik 2.16.1 and use the Custom Opt-Out plugin. I don't know if this bug is related to custom opt-out or not but it also appears if no custom opt-out html is set.

On the page where my Opt-out is embedded in an IFrame, Chrome reports

Invalid 'X-Frame-Options' header encountered when loading 'https://mydomain.compiwik/index.php?module=CoreAdminHome&action=optOut&idsite=25&language=de': '' is not a recognized directive. The header will be ignored.

Opening the frame content in a new tab I can see the empty header in chrome dev tools:

Server:Apache/2.2.22 (Debian)
Vary:Accept-Encoding
X-Frame-Options:

Maybe this is the problem: https://github.com/piwik/piwik/blob/master/core/View.php#L340

Valid values are DENY, SAMEORIGIN, ALLOW-FROM , the latter with very poor browser support.

Empty values are not allowed.

Or is this configurable?

@tsteur
Copy link
Member

tsteur commented May 22, 2016

Thx for reporting the issue 👍 I can reproduce this issue and also get the empty value because of 00029a8#diff-3b04c2fd13299169fa41941cde7074d0R163

This seems like an easy fix by actually sending "allow". @mattab do you remember why this was needed?

@tsteur tsteur added Bug For errors / faults / flaws / inconsistencies etc. Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement. labels May 22, 2016
@tsteur tsteur added this to the 2.16.x (LTS) milestone May 22, 2016
@mattab mattab self-assigned this May 27, 2016
@blueelvis
Copy link
Contributor

Hey @mattab - A real newbie in OSS here. Do you think this commit is a good fix for this bug? Any way I could improve it?

https://github.com/blueelvis/piwik/commit/ef9c62868b59c0bd4ff2148a307f409c51456232

@mattab
Copy link
Member

mattab commented Jul 8, 2016

@blueelvis the link does not work for me, maybe repo is private? feel free to open a pull request and we can discuss in the PR directly 👍

@lemonksgithub
Copy link

I have the same problem!

@tuffz
Copy link

tuffz commented Nov 16, 2016

@mattab #10167 (comment) the link-href is corrupted but if you copy and paste linked text it works perfectly or you click on following link: blueelvis@ef9c628

@Braintelligence
Copy link

Braintelligence commented Jan 7, 2017

Running on Piwik 3.0.0 I still have this problem, I guess:

Invalid 'X-Frame-Options' header encountered when loading 'https://subdomain.domain.tld/index.php?module=CoreAdminHome&action=optOut&language=de': '' is not a recognized directive. The header will be ignored.

What are the necessary steps to fix this?

EDIT: Ah nevermind, this fix will make it in 3.0.1 it seems 😸

@mattab
Copy link
Member

mattab commented Feb 18, 2017

EDIT: Ah nevermind, this fix will make it in 3.0.1 it seems 😸

@Braintelligence so far we haven't fixed this issue. Please open a pull request if you can

@GermanKiwi
Copy link

Some additional info from me - which I previously posted at #7379:

I'm running WordPress and using the WP Piwik plugin, and I found that this empty X-Frame-Options header, generated by Piwik, is only there when I set "Piwik Mode" to "Self-hosted (PHP API)" in the plugin settings. However, if I change Piwik Mode to "Self Hosted (HTTP API)", then this header is no longer generated. I have no idea why. I'd prefer to keep using the PHP API mode if I can, but obviously without the empty header being generated.

In fact, I would really love the ability to disable Piwik's generation of this header entirely. I'd prefer to manange my HTTP headers myself using my .htaccess file. Could you provide a way to stop Piwik from generating it? Perhaps something in Piwik's options, or something in Piwik's config file that I could add?

@mattab
Copy link
Member

mattab commented Feb 19, 2017

This PR should fix the issue: #11358 - feedback welcome if you can test it 👍

@GermanKiwi
Copy link

Hi @mattab, will your patch provide a way to disable the header altogether? Or at least not to add it if it already exists from .htaccess?

@mattab
Copy link
Member

mattab commented Feb 20, 2017

@GermanKiwi No this patch doesn't quite address the case where web server already issues the x-frame-options header. But would you mind testing it and please open new issue if you still have this problem

@GermanKiwi
Copy link

Sure thing @mattab I'll be happy to test it - but can you kindly let me know how exactly I can do that?! In other words, how do I go about installing this patch onto my current Piwik installation? I've never done that before. ;)

@Findus23
Copy link
Member

@GermanKiwi The fastest way would be downloading the patch by appending .patch on the pull request url:

wget https://github.com/piwik/piwik/pull/11358.patch

and then applying the patch (while you are in the root directory of your piwik installation)

patch -p1 < 11358.patch

Of course there is also the manual way:

@mattab
Copy link
Member

mattab commented Feb 21, 2017

@GermanKiwi please try with our latest 3.0.2-b5 which includes this patch: http://piwik.org/faq/how-to-update/faq_159/

@GermanKiwi
Copy link

Hi @mattab, I'm still having some issues with empty headers after I installed 3.0.2-b5, so I've created a new issue with all the details at #11391.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug For errors / faults / flaws / inconsistencies etc. Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement.
Projects
None yet
9 participants