4

We are running apache 2.4 in order to serve our typo3 generated websites.

In general we want to have the X-Frame-Options SAMEORIGIN Header present for all requests.

With one exception. For a specific URL this Header should be unset, since it has to be used inside an iFrame from another domain.

So I added something like this:

Header always set X-Frame-Options SAMEORIGIN

<Location /anotherURL>
    Header always unset X-Frame-Options
</Location>`

When I try to request the given URL https://www.example.com/ I see the X-Frame-Options-Header in the Response, but with https://www.example.com/anotherURL this Header is still present.

I have checked that the Location directive is actually processed by adding a Require all denied to the Location directive. With this active, the access to the URL /anotherURL is denied, as expected.

If I change the Location from /anotherURL to /typo3 the unset works as expected.

The only difference I see between these two URLS is that /typo3 exists in the directory structure under htdocs thereas /anotherURL is a URL processed by Typo3.

My question now is, why does Apache ignore my Header unset command? From Apaches point of view it should be ignorant of what Typo3 is doing, once it generates the reponse header the Location-Directive should match (which it is obviously doing) and the process the commands inside.

I have browsed some of the other questions regarding problems with unsetting of HTTP headers, but no suggestion has solved my specific problem.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
Tobias Wolf
  • 71
  • 1
  • 4

2 Answers2

3

Here are my insights for this:

The main problem, why my Header statements are not executed inside the Location-Directive lies in mod_rewrite.

Once a request with a virtual URL like /anotherURL, for which no physical entity exists, comes in, mod_rewrite imediatly begins to apply it's rules. Here it maps it to /index.php and pushes the information /anotherURL into GET-Parameters, which are used lateron to identify the Typo3 page.

This explains why the Header statements are not executed, the Location of the request has changed.

Now to the solution, which works for me. Since i cannot rely on the URL i have to find another information. For me the Referer suits me just fine:

SetEnvIf Referer ^https:\/\/www.(location1|location2).de\/test\.html$ IFRAME_ENV Header always set X-Frame-Options "sameorigin" env=!IFRAME_ENV

Will do the trick.

Now for every request the referer is checked. By default the X-Frame-Otions Header is added, except when the referer is set to the two URLs, from which i want to allow iFrame embedding.

If anyone know how to apply Location directives before mod_rewrite kicks in, i am very open minded for such a solution :) Until when this seems to work for me.

Thanks for everyone for the support.

Tobias Wolf
  • 71
  • 1
  • 4
1

Try this:

<Location /anotherURL>
    Header always unset X-Frame-Options
    Header unset X-Frame-Options
</Location>

Had same thing with Jboss backend not unsetting a header and above fixed it. Can't remember why again now (something to do with order of processing when including always keyword).

Barry Pollard
  • 4,461
  • 14
  • 26
  • Thanks, for your answer. Just tried it in my setup, but it did not work for me. The X-Frame-Options Header is still send back from Apache. Even a `Header always set testheader "TEST"` will be ignored inside the Location-Element. – Tobias Wolf Aug 01 '16 at 08:57
  • Sounds like a problem with your Location directive then. Anything in the Apache error logs? – Barry Pollard Aug 01 '16 at 10:33
  • Yeah, this was my thought also. But if i add a statement like `Deny from all` to the Location directive, the specific URL is not reachable any more. So the directive is recognized by Apache, but somehow it seems that the Response Headers cannot be modified in this case. – Tobias Wolf Aug 01 '16 at 11:44
  • Here are my new insights about this topic. I think the reason for this behaviours lies in the rewrite rules. The request URL /anotherURL is already mapped to index.php and then any Stuff in a -Direktive is executed. If i change to at last the statements of the directice are executed. But now the information upon which i wanted to handle the different logic is lost to me. I have already tried to set an env variable by the time mod_rewrite handles the request with: RewriteRule ^anotherURL/$ - [E=anotherURL] – Tobias Wolf Aug 02 '16 at 13:45
  • But this variable seems not to be accessible for the Header Direktive, since a Header always unset X-Frame-Options env=anotherURL is not executed. – Tobias Wolf Aug 02 '16 at 13:51