Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

when webserver sets X-Frame-Options header, Piwik also sets it causing conflicting headers js warning in widget iframes #7379

Closed
thilohermann opened this issue Mar 6, 2015 · 9 comments
Closed

when webserver sets X-Frame-Options header, Piwik also sets it causing conflicting headers js warning in widget iframes #7379

thilohermann opened this issue Mar 6, 2015 · 9 comments
Labels
duplicate For issues that already existed in our issue tracker and were reported previously. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Milestone
Backlog (Help wan...

Comments

@thilohermann
Copy link

This is a follow-up on this forum topic:
http://forum.piwik.org/read.php?2,123519,124051

I have problems with the X-Frame-Options Header with this configuration:

  • Piwik 2.11.2 (also confirmed in 2.10.0)
  • Server-wide Apache 2 configruation (set in httpd.conf and/or ssl.conf):
    Header always append X-Frame-Options SAMEORIGIN
  • Trying to display an iFrame-based somewhere on my domain, for example on
    https://www.mysite.xy/report.html

Piwik Widget URL:
https://www.mysite.xy/piwik/index.php?module=Widgetize&action=iframe&columns[]=nb_visits&widget=1&moduleToWidgetize=VisitsSummary&actionToWidgetize=getEvolutionGraph&idSite=1&period=day&date=today&disableLink=1&widget=1&token_auth=123456789

The widget won't be displayed in Chrome (e.g. 41.0.2272.76, Mac) due to this error (see console):
Multiple 'X-Frame-Options' headers with conflicting values ('SAMEORIGIN, ') encountered when loading 'https://www.mysite.xy/piwik/index.php?module=Widgetize&action=i…e=today&disableLink=1&widget=1&token_auth=123456789'. Falling back to 'DENY'.
about:blank:1 Refused to display 'https://www.mysite.xy/piwik/index.php?module=Widgetize&action=i…e=today&disableLink=1&widget=1&token_auth=123456789' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN, '.

As far a I know this problem appears only in Webkit browsers, other browsers like FF/IE seem to ignore the empty X-Frame-Options Header and display the widget.

My workaround: hack core/View.php and remove line 245
// always sending this header, sometimes empty, to ensure that Dashboard embed loads (which could call this header() multiple times, the last one will prevail)
Common::sendHeader('X-Frame-Options: ' . (string)$this->xFrameOptions);

Better solutions:

  • add a configuration option if Piwik should send a X-Frame-Header or not
  • or make sure that Piwik always sends the correct X-Frame-Header respectively does not 'overwrite' an existing X-Frame-Options header with an emplty header
@mattab
Copy link
Member

mattab commented Apr 8, 2015

Hi @thilohermann

I believe this setting you need is already available, see this FAQ: http://piwik.org/faq/troubleshooting/faq_147/

if you have a problem with that, please reopen this issue

@mattab mattab closed this as completed Apr 8, 2015
@mattab mattab added the answered For when a question was asked and we referred to forum or answered it. label Apr 8, 2015
@thilohermann
Copy link
Author

Hi @mattab

thanks for looking into this, but the enable_framed_pages option does not seem to change the X-Frame-Options Header for iFrame widgets, still getting the same message in Chrome error console.

now Piwik 2.12.1, Chrome 41, added enable_framed_pages = 1 in config.ini.php

Chrome Console:
bildschirmfoto 2015-04-09 um 15 24 17

config.ini.php
bildschirmfoto 2015-04-09 um 15 50 56

@thilohermann
Copy link
Author

PS. should it be possible for me to reopen this issue? I am new to GitHub, so I can't find the button :)

@mattab mattab reopened this Apr 9, 2015
@diosmosis
Copy link
Member

Did a quick investigation, I can verify that w/ this sort of server config, two identical headers can be sent (I couldn't reproduce the error, though w/ Chrome 43). I couldn't find a way to detect if the web server added a header from within PHP, so I think a config option is the only way to fix this.

@mattab Here is my proposal: we could add a new array option do_not_send_response_headers that would allow users to prevent response headers from being sent by Piwik.

@mattab
Copy link
Member

mattab commented Apr 10, 2015

imho it's good solution here to change apache server config not to send this header, as it fixes the problem. I still leave the issue open but decrease priority

@mattab mattab added Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. and removed answered For when a question was asked and we referred to forum or answered it. labels Apr 10, 2015
@mattab mattab added this to the Long term milestone Apr 10, 2015
@mattab mattab changed the title Set X-Frame-Options Header correctly for widgets when webserver sets X-Frame-Options header, Piwik also sets it causing conflicting headers js warning in widget iframes Apr 10, 2015
@citosid
Copy link

citosid commented Aug 17, 2015

Any solution to this issue?

@mattab
Copy link
Member

mattab commented Aug 20, 2015

@citosid yes, we suggest to disable the x-frame-options header in your webserver

@mattab mattab modified the milestones: Long term, Mid term Dec 23, 2015
@mattab mattab modified the milestones: Long term, Mid term Dec 5, 2016
@GermanKiwi
Copy link

Hi @mattab I've also just discovered this issue in my Piwik setup too. However, I don't think your proposed solution (disable the header in Apache) is correct.

The problem is this: my website is actually delivering two separate X-Frame-Options headers, and they are both different. The first one comes from my .htaccess and it has a value of SAMEORIGIN which is what I want/need it to be.

The second one comes from Piwik, I believe, and it has no value at all. It's blank. Which I believe is an invalid response.

It looks like @thilohermann also had this issue too (one valid header using SAMEORIGIN and the other header being empty) - according to his screenshot of his Chrome Console in his post above, which shows the two different header values he's getting ('SAMEORIGIN, ')

So the problem is that I can't simply disable the header outright, as I need it there for security reasons on my website. What I don't need is Piwik creating a 2nd header, and more so with an invalid empty value.

Additional info: I'm running WordPress and using the WP Piwik plugin, and I found that this bogus extra header, generated by Piwik, is only there when I set "Piwik Mode" to "Self-hosted (PHP API)" in the plugin settings. However, if I change Piwik Mode to "Self Hosted (HTTP API)", then the bogus extra header is no longer generated. No idea why. Everything else works perfectly well, and I'd prefer to keep using the PHP API mode if I can.

Any thoughts about why this is happening?

@mattab
Copy link
Member

mattab commented Feb 18, 2017

@GermanKiwi please let's continue discussion / copy your comment in #10167 and I'll close this one as duplicate

@mattab mattab closed this as completed Feb 18, 2017
@mattab mattab added the duplicate For issues that already existed in our issue tracker and were reported previously. label Feb 18, 2017
@GermanKiwi GermanKiwi mentioned this issue Feb 19, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate For issues that already existed in our issue tracker and were reported previously. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Projects
None yet
Milestone
Backlog (Help wanted)
Development

No branches or pull requests
5 participants
@diosmosis @citosid @mattab @GermanKiwi @thilohermann