Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-21973

X-Frame-Options HTTP header parameter can only accept sameorigin and deny

    XMLWordPrintable

Details

    • Problem report
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 6.0.11rc1, 6.2.5rc1, 6.4.0beta4
    • None
    • Frontend (F)

    Description

      According to documentation "X-Frame-Options HTTP header" field can accept values:
      SAMEORIGIN (default) - the page can only be displayed in a frame on the same origin as the page itself.
      DENY - the page cannot be displayed in a frame, regardless of the site attempting to do so.
      null - disable X-Frame-options header (not recommended).
      Or a list (string) of comma-separated hostnames. If a listed hostname is not among allowed, the SAMEORIGIN option is used.

      But only the SAMEORIGIN and DENY values actually work.
       

      Precondition:
      I have a virtual machine with dns name test-virtualbox which is also available using dns test-virtualbox.local

      1. "X-Frame-Options HTTP header" with null
      Steps to reproduce:

      1. Open zabbix by link with dns test-virtualbox.local - http://test-virtualbox.local/master
      2. Navigate to Administration → General → Other
      3. Change "X-Frame-Options HTTP header" to null
      4. Go to Dashboard
      5. Create URL widget with URL value http://test-virtualbox/master/zabbix.php?action=dashboard.view (dns test-virtualbox)

      Result:
      zabbix page doesn't open in widget, message: test-virtualbox refused to connect
      error in console: Refused to display 'http://test-virtualbox/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
      Expected:
      Can open zabbix page in URL widget
      Field "X-Frame-Options HTTP header" should be optional. Instead of null value, there should be empty field to disable the X-Frame-options header.

      2. "X-Frame-Options HTTP header" with hostname
      Steps to reproduce:

      1. Open zabbix by link with dns test-virtualbox.localhttp://test-virtualbox.local/master
      2. Navigate to Administration → General → Other
      3. Fill in "X-Frame-Options HTTP header" hostname test-virtualbox (according to documentation: list (string) of comma-separated hostnames. If a listed hostname is not among allowed, the SAMEORIGIN option is used.)
      4. Go to Dashboard
      5. Create URL widget with URL value http://test-virtualbox/master/zabbix.php?action=dashboard.view (dns test-virtualbox)

      Result:
      zabbix page doesn't open in widget, message: natalja-virtualbox refused to connect
      Error in console: Invalid 'X-Frame-Options' header encountered when loading 'http://test-virtualbox/': 'ALLOW-FROM test-virtualbox' is not a recognized directive. The header will be ignored.
      Expected:
      Can open zabbix page in URL widget.
      According to X-Frame-Options documentation ALLOW-FROM=url option is deprecated.
      This is an obsolete directive that no longer works in modern browsers. The Content-Security-Policy HTTP header has a frame-ancestors directive which you can use instead.

      Attachments

        Activity

          People

            zabbix.dev Zabbix Development Team
            natalja.zabbix Natalja Romancaka
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated: