X-Frame-Options header is not a recognized directive

nginx http-headers nextcloud
MPH picture MPH · Dec 8, 2017 · Viewed 36.2k times · Source

I am using Nextcloud (on Nginx) for a while now and I want to iframe it for another website. However the header does not accept my directives.

I changed the header option in /var/www/nextcloud/lib/private/legacy/response.php into the following:

header('X-Frame-Options: ALLOW-FROM https://example.com');

However when I make an example webpage with an iframe it gives me the following error:

Invalid 'X-Frame-Options' header encountered when loading 'https://nextcloud.example.com/apps/files/': 'ALLOW-FROM https://example.com' is not a recognized directive. The header will be ignored.

Does anyone have an idea why this does not work?

Answer

R. Oosterholt picture R. Oosterholt · Nov 29, 2019

allow-from is 'obsolete'. You can use the Content-Security-Policy header instead:

header('Content-Security-Policy: frame-ancestors https://example.com');

Related questions

Possible reason for NGINX 499 error codes

I'm getting a lot of 499 NGINX error codes. I see that this is a client side issue. It is not a problem with NGINX or my uWSGI stack. I note the correlation in uWSGI logs when a get a 499. address …

Read More
How do you change the server header returned by nginx?

There's an option to hide the version so it will display only nginx, but is there a way to hide that too so it will not show anything or change the header?

Read More
How to add a response header on nginx when using proxy_pass?

I want to add a custom header for the response received from the server behind nginx. While add_header works for nginx-processed responses, it does nothing when the proxy_pass is used.

Read More