-
Problem report
-
Resolution: Fixed
-
Minor
-
6.0.11rc1, 6.2.5rc1, 6.4.0beta4
-
Sprint 98 (Mar 2023), Sprint 99 (Apr 2023), Sprint 100 (May 2023), Sprint 101 (Jun 2023), Sprint 102 (Jul 2023), Sprint 103 (Aug 2023), Sprint 104 (Sep 2023), Sprint 105 (Oct 2023), Sprint 106 (Nov 2023), S2401-1, S2401-2
-
0.25
According to documentation "X-Frame-Options HTTP header" field can accept values:
SAMEORIGIN (default) - the page can only be displayed in a frame on the same origin as the page itself.
DENY - the page cannot be displayed in a frame, regardless of the site attempting to do so.
null - disable X-Frame-options header (not recommended).
Or a list (string) of comma-separated hostnames. If a listed hostname is not among allowed, the SAMEORIGIN option is used.
But only the SAMEORIGIN and DENY values actually work.
Precondition:
I have a virtual machine with dns name test-virtualbox which is also available using dns test-virtualbox.local
1. "X-Frame-Options HTTP header" with null
Steps to reproduce:
- Open zabbix by link with dns test-virtualbox.local - http://test-virtualbox.local/master
- Navigate to Administration → General → Other
- Change "X-Frame-Options HTTP header" to null
- Go to Dashboard
- Create URL widget with URL value http://test-virtualbox/master/zabbix.php?action=dashboard.view (dns test-virtualbox)
Result:
zabbix page doesn't open in widget, message: test-virtualbox refused to connect
error in console: Refused to display 'http://test-virtualbox/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
Expected:
Can open zabbix page in URL widget
Field "X-Frame-Options HTTP header" should be optional. Instead of null value, there should be empty field to disable the X-Frame-options header.
2. "X-Frame-Options HTTP header" with hostname
Steps to reproduce:
- Open zabbix by link with dns test-virtualbox.local - http://test-virtualbox.local/master
- Navigate to Administration → General → Other
- Fill in "X-Frame-Options HTTP header" hostname test-virtualbox (according to documentation: list (string) of comma-separated hostnames. If a listed hostname is not among allowed, the SAMEORIGIN option is used.)
- Go to Dashboard
- Create URL widget with URL value http://test-virtualbox/master/zabbix.php?action=dashboard.view (dns test-virtualbox)
Result:
zabbix page doesn't open in widget, message: test-virtualbox refused to connect
Error in console: Invalid 'X-Frame-Options' header encountered when loading 'http://test-virtualbox/': 'ALLOW-FROM test-virtualbox' is not a recognized directive. The header will be ignored.
Expected:
Can open zabbix page in URL widget.
According to X-Frame-Options documentation ALLOW-FROM=url option is deprecated.
This is an obsolete directive that no longer works in modern browsers. The Content-Security-Policy HTTP header has a frame-ancestors directive which you can use instead.
