@renegat4 opened this Issue on August 25th 2015

Current Chrome doesn't show the opt-out because of conflicting Values for X-Frame-Options.

Source seems to be in core/View.php:

// always sending this header, sometimes empty, to ensure that Dashboard embed loads
(which could call this header() multiple times, the last one will prevail)

The header ist set two times, first with 'sameorigin' second empty.

So the last one will not prevail. Chrome sees them all and refuses to show the content.

@tsteur commented on August 26th 2015 Member

Current Chrome you mean version 44? I just tried to reproduce but works fine for me. Quickly had a look at the code but couldn't find why it should be set multiple times, only had a quick view though. Are you using any custom plugins? What's your PHP version?

@renegat4 commented on August 26th 2015

Yes, Chrome 44.0 (Linux). But the Problem is the same under Chrome/MacOSX (dont know Chrome version there).

PHP is 5.5.9-1ubuntu4.11

One Plugin is installed: CustomOptOut (v0.3.1)
Deaktivating the Plugin does not help.

The Error in chrome console is:

Multiple 'X-Frame-Options' headers with conflicting values ('SAMEORIGIN, ') encountered when loading '...index.php?module=CoreAdminHome&idSite=2&action=optOut&language=de'. Falling back to 'DENY'.

My current workaround is:

if ((string)$this->xFrameOptions != '') {
  Common::sendHeader('X-Frame-Options: ' . (string)$this->xFrameOptions);
@tsteur commented on August 27th 2015 Member

Just noticed it was moved to 2.15.0. Maybe someone else from the team can try to reproduce it and if so, work on a fix

@mattab commented on September 20th 2015 Member

@renegat4 I also can't reproduce. Which version of Piwik are you using? did you maybe customise the config.ini.php with some settings?

This Issue was closed on November 26th 2015
Powered by GitHub Issue Mirror