We are running apache 2.4 in order to serve our typo3 generated websites.
In general we want to have the
X-Frame-Options SAMEORIGIN
Header present for all requests.
With one exception. For a specific URL this Header should be unset, since it has to be used inside an iFrame from another domain.
So I added something like this:
Header always set X-Frame-Options SAMEORIGIN
<Location /anotherURL>
Header always unset X-Frame-Options
</Location>`
When I try to request the given URL https://www.example.com/
I see the X-Frame-Options
-Header in the Response, but with https://www.example.com/anotherURL
this Header is still present.
I have checked that the Location directive is actually processed by adding a Require all denied
to the Location directive. With this active, the access to the URL /anotherURL
is denied, as expected.
If I change the Location from /anotherURL
to /typo3
the unset works as expected.
The only difference I see between these two URLS is that /typo3
exists in the directory structure under htdocs thereas /anotherURL
is a URL processed by Typo3.
My question now is, why does Apache ignore my Header unset command? From Apaches point of view it should be ignorant of what Typo3 is doing, once it generates the reponse header the Location-Directive should match (which it is obviously doing) and the process the commands inside.
I have browsed some of the other questions regarding problems with unsetting of HTTP headers, but no suggestion has solved my specific problem.