You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Martin Knoblauch <kn...@knobisoft.de> on 2021/10/06 10:09:17 UTC
[users@httpd] Stupid question on mod_header
Hi,
sorry for asking this likely stupid question. This is with Apache HTTPD
2.4.48.
I want to change the value of the X-Frame-Options response header from DENY
to SAMEORIGIN. The header is apparently set by Tomcat 9.0.53.
Naively, because the mod_header documentation says "The response header is
set, replacing any previous header with this name. The value may be a
format string.", I added a single
Header always set X-Frame-Options SAMEORIGIN
to the VirtualHost section of the httpd configuration. To my surprise my
browser (FF and Chrome) has two headers now, one with DENY, one with
SAMEORIGIN. And falls back to DENY :-(
When I add an unset before the set, it works
Header unset X-Frame-Options
Header always set X-Frame-Options SAMEORIGIN
Is my understanding of the mod_header documentation wrong, or do I miss
somethiong subtle?
Cheers
Martin
--
------------------------------------------------------
Martin Knoblauch
email: k n o b i AT knobisoft DOT de
www: http://www.knobisoft.de
Re: [users@httpd] Stupid question on mod_header
Posted by Martin Knoblauch <kn...@knobisoft.de>.
On Wed, Oct 6, 2021 at 8:58 PM Konstantin Kolinko <kn...@gmail.com>
wrote:
> ср, 6 окт. 2021 г. в 13:10, Martin Knoblauch <kn...@knobisoft.de>:
> >
> > Hi,
> >
> > sorry for asking this likely stupid question. This is with Apache HTTPD
> 2.4.48.
> >
> > I want to change the value of the X-Frame-Options response header from
> DENY to SAMEORIGIN. The header is apparently set by Tomcat 9.0.53.
> >
> > Naively, because the mod_header documentation says "The response header
> is set, replacing any previous header with this name. The value may be a
> format string.", I added a single
> >
> > Header always set X-Frame-Options SAMEORIGIN
> >
> > to the VirtualHost section of the httpd configuration. To my surprise my
> browser (FF and Chrome) has two headers now, one with DENY, one with
> SAMEORIGIN. And falls back to DENY :-(
> >
> > When I add an unset before the set, it works
> >
> > Header unset X-Frame-Options
> > Header always set X-Frame-Options SAMEORIGIN
> >
> > Is my understanding of the mod_header documentation wrong, or do I miss
> somethiong subtle?
>
> See my recent answer in "X-Frame-Options and security" thread.
> https://httpd.markmail.org/message/pwsrgbj7pjy4qiei
>
> All is in the docs, if you read carefully, but I agree that it is subtle.
> https://httpd.apache.org/docs/2.4/en/mod/mod_headers.html#header
>
> Essentially, (as far as I am reading it), "onsuccess" and "always" are
> just names of two separate tables (lists) of headers that exist in
> parallel.
>
> <quote>
> it does not offer any "normalized" single list of headers
> </quote>
>
> Best regards,
> Konstantin Kolinko
>
>
Hi Konstantin,
OK, so I apparently did not read carefully enough and got the
onsuccess/always meaning wrong. Subtle indeed :-)
Anyway, I solved my problem at the root and convinced Spring Websecurity to
the "right" header value in the first place.
Cheers
Martin
--
------------------------------------------------------
Martin Knoblauch
email: k n o b i AT knobisoft DOT de
www: http://www.knobisoft.de
Re: [users@httpd] Stupid question on mod_header
Posted by Konstantin Kolinko <kn...@gmail.com>.
ср, 6 окт. 2021 г. в 13:10, Martin Knoblauch <kn...@knobisoft.de>:
>
> Hi,
>
> sorry for asking this likely stupid question. This is with Apache HTTPD 2.4.48.
>
> I want to change the value of the X-Frame-Options response header from DENY to SAMEORIGIN. The header is apparently set by Tomcat 9.0.53.
>
> Naively, because the mod_header documentation says "The response header is set, replacing any previous header with this name. The value may be a format string.", I added a single
>
> Header always set X-Frame-Options SAMEORIGIN
>
> to the VirtualHost section of the httpd configuration. To my surprise my browser (FF and Chrome) has two headers now, one with DENY, one with SAMEORIGIN. And falls back to DENY :-(
>
> When I add an unset before the set, it works
>
> Header unset X-Frame-Options
> Header always set X-Frame-Options SAMEORIGIN
>
> Is my understanding of the mod_header documentation wrong, or do I miss somethiong subtle?
See my recent answer in "X-Frame-Options and security" thread.
https://httpd.markmail.org/message/pwsrgbj7pjy4qiei
All is in the docs, if you read carefully, but I agree that it is subtle.
https://httpd.apache.org/docs/2.4/en/mod/mod_headers.html#header
Essentially, (as far as I am reading it), "onsuccess" and "always" are
just names of two separate tables (lists) of headers that exist in
parallel.
<quote>
it does not offer any "normalized" single list of headers
</quote>
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Stupid question on mod_header
Posted by Daniel Ferradal <df...@apache.org>.
Probably because the header is being added later in a different sub-context.
That is, at the time apache sets the header for virtual host there is no
other header of the same name defined, so there is nothing to eliminate and
set instead, but then the path for the reverse proxy to tomcat is being
evaluated later.
I would suppose setting it in the specific location for the path that leads
to tomcat things would be different.
In any case try and see.
Regards.
El mié., 6 oct. 2021 12:09, Martin Knoblauch <kn...@knobisoft.de> escribió:
> Hi,
>
> sorry for asking this likely stupid question. This is with Apache HTTPD
> 2.4.48.
>
> I want to change the value of the X-Frame-Options response header from
> DENY to SAMEORIGIN. The header is apparently set by Tomcat 9.0.53.
>
> Naively, because the mod_header documentation says "The response header is
> set, replacing any previous header with this name. The value may be a
> format string.", I added a single
>
> Header always set X-Frame-Options SAMEORIGIN
>
> to the VirtualHost section of the httpd configuration. To my surprise my
> browser (FF and Chrome) has two headers now, one with DENY, one with
> SAMEORIGIN. And falls back to DENY :-(
>
> When I add an unset before the set, it works
>
> Header unset X-Frame-Options
> Header always set X-Frame-Options SAMEORIGIN
>
> Is my understanding of the mod_header documentation wrong, or do I miss
> somethiong subtle?
>
> Cheers
> Martin
> --
> ------------------------------------------------------
> Martin Knoblauch
> email: k n o b i AT knobisoft DOT de
> www: http://www.knobisoft.de
>