New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
X-Frame-Options header set to empty value #10167
Comments
Thx for reporting the issue 👍 I can reproduce this issue and also get the empty value because of 00029a8#diff-3b04c2fd13299169fa41941cde7074d0R163 This seems like an easy fix by actually sending "allow". @mattab do you remember why this was needed? |
Hey @mattab - A real newbie in OSS here. Do you think this commit is a good fix for this bug? Any way I could improve it? https://github.com/blueelvis/piwik/commit/ef9c62868b59c0bd4ff2148a307f409c51456232 |
@blueelvis the link does not work for me, maybe repo is private? feel free to open a pull request and we can discuss in the PR directly 👍 |
I have the same problem! |
@mattab #10167 (comment) the link-href is corrupted but if you copy and paste linked text it works perfectly or you click on following link: blueelvis@ef9c628 |
EDIT: Ah nevermind, this fix will make it in 3.0.1 it seems 😸 |
@Braintelligence so far we haven't fixed this issue. Please open a pull request if you can |
Some additional info from me - which I previously posted at #7379: I'm running WordPress and using the WP Piwik plugin, and I found that this empty X-Frame-Options header, generated by Piwik, is only there when I set "Piwik Mode" to "Self-hosted (PHP API)" in the plugin settings. However, if I change Piwik Mode to "Self Hosted (HTTP API)", then this header is no longer generated. I have no idea why. I'd prefer to keep using the PHP API mode if I can, but obviously without the empty header being generated. In fact, I would really love the ability to disable Piwik's generation of this header entirely. I'd prefer to manange my HTTP headers myself using my .htaccess file. Could you provide a way to stop Piwik from generating it? Perhaps something in Piwik's options, or something in Piwik's config file that I could add? |
This PR should fix the issue: #11358 - feedback welcome if you can test it 👍 |
Hi @mattab, will your patch provide a way to disable the header altogether? Or at least not to add it if it already exists from .htaccess? |
@GermanKiwi No this patch doesn't quite address the case where web server already issues the x-frame-options header. But would you mind testing it and please open new issue if you still have this problem |
Sure thing @mattab I'll be happy to test it - but can you kindly let me know how exactly I can do that?! In other words, how do I go about installing this patch onto my current Piwik installation? I've never done that before. ;) |
@GermanKiwi The fastest way would be downloading the patch by appending .patch on the pull request url: wget https://github.com/piwik/piwik/pull/11358.patch and then applying the patch (while you are in the root directory of your piwik installation) patch -p1 < 11358.patch Of course there is also the manual way:
|
@GermanKiwi please try with our latest 3.0.2-b5 which includes this patch: http://piwik.org/faq/how-to-update/faq_159/ |
Hello,
I'm running Piwik 2.16.1 and use the Custom Opt-Out plugin. I don't know if this bug is related to custom opt-out or not but it also appears if no custom opt-out html is set.
On the page where my Opt-out is embedded in an IFrame, Chrome reports
Opening the frame content in a new tab I can see the empty header in chrome dev tools:
Maybe this is the problem: https://github.com/piwik/piwik/blob/master/core/View.php#L340
Valid values are DENY, SAMEORIGIN, ALLOW-FROM , the latter with very poor browser support.
Empty values are not allowed.
Or is this configurable?
The text was updated successfully, but these errors were encountered: