Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-21973

X-Frame-Options HTTP header parameter can only accept sameorigin and deny

    XMLWordPrintable

Details

    • Team A
    • Sprint 98 (Mar 2023), Sprint 99 (Apr 2023), Sprint 100 (May 2023), Sprint 101 (Jun 2023), Sprint 102 (Jul 2023), Sprint 103 (Aug 2023), Sprint 104 (Sep 2023), Sprint 105 (Oct 2023), Sprint 106 (Nov 2023), S2401-1, S2401-2
    • 0.25

    Description

      According to documentation "X-Frame-Options HTTP header" field can accept values:
      SAMEORIGIN (default) - the page can only be displayed in a frame on the same origin as the page itself.
      DENY - the page cannot be displayed in a frame, regardless of the site attempting to do so.
      null - disable X-Frame-options header (not recommended).
      Or a list (string) of comma-separated hostnames. If a listed hostname is not among allowed, the SAMEORIGIN option is used.

      But only the SAMEORIGIN and DENY values actually work.
       

      Precondition:
      I have a virtual machine with dns name test-virtualbox which is also available using dns test-virtualbox.local

      1. "X-Frame-Options HTTP header" with null
      Steps to reproduce:

      1. Open zabbix by link with dns test-virtualbox.local - http://test-virtualbox.local/master
      2. Navigate to Administration → General → Other
      3. Change "X-Frame-Options HTTP header" to null
      4. Go to Dashboard
      5. Create URL widget with URL value http://test-virtualbox/master/zabbix.php?action=dashboard.view (dns test-virtualbox)

      Result:
      zabbix page doesn't open in widget, message: test-virtualbox refused to connect
      error in console: Refused to display 'http://test-virtualbox/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
      Expected:
      Can open zabbix page in URL widget
      Field "X-Frame-Options HTTP header" should be optional. Instead of null value, there should be empty field to disable the X-Frame-options header.

      2. "X-Frame-Options HTTP header" with hostname
      Steps to reproduce:

      1. Open zabbix by link with dns test-virtualbox.localhttp://test-virtualbox.local/master
      2. Navigate to Administration → General → Other
      3. Fill in "X-Frame-Options HTTP header" hostname test-virtualbox (according to documentation: list (string) of comma-separated hostnames. If a listed hostname is not among allowed, the SAMEORIGIN option is used.)
      4. Go to Dashboard
      5. Create URL widget with URL value http://test-virtualbox/master/zabbix.php?action=dashboard.view (dns test-virtualbox)

      Result:
      zabbix page doesn't open in widget, message: test-virtualbox refused to connect
      Error in console: Invalid 'X-Frame-Options' header encountered when loading 'http://test-virtualbox/': 'ALLOW-FROM test-virtualbox' is not a recognized directive. The header will be ignored.
      Expected:
      Can open zabbix page in URL widget.
      According to X-Frame-Options documentation ALLOW-FROM=url option is deprecated.
      This is an obsolete directive that no longer works in modern browsers. The Content-Security-Policy HTTP header has a frame-ancestors directive which you can use instead.

      Attachments

        Activity

          People

            dfofanovs Dmitrijs Fofanovs
            natalja.zabbix Natalja Romancaka
            Votes:
            1 Vote for this issue
            Watchers:
            14 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: