[ZBX-21973] X-Frame-Options HTTP header parameter can only accept sameorigin and deny Created: 2022 Nov 24  Updated: 2024 Apr 10  Resolved: 2024 Jan 30

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Frontend (F)
Affects Version/s: 6.0.11rc1, 6.2.5rc1, 6.4.0beta4
Fix Version/s: 6.0.26rc1, 6.4.11rc1, 7.0.0alpha9, 7.0 (plan)

Type: Problem report Priority: Minor
Reporter: Natalja Romancaka Assignee: Dmitrijs Fofanovs
Resolution: Fixed Votes: 1
Labels: urlwidget, widget, xframe
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2023-06-14-15-00-05-156.png     PNG File image-2023-11-10-17-40-24-477.png     PNG File image-2023-11-10-17-40-40-301.png     PNG File image-2023-11-10-17-40-49-868.png     PNG File image-2023-11-13-10-35-14-497.png     PNG File image-2023-11-13-10-59-36-898.png     PNG File image-2023-11-13-14-45-05-267.png     PNG File screenshot-1.png    
Issue Links:
Causes
Duplicate
Team: Team A
Sprint: Sprint 98 (Mar 2023), Sprint 99 (Apr 2023), Sprint 100 (May 2023), Sprint 101 (Jun 2023), Sprint 102 (Jul 2023), Sprint 103 (Aug 2023), Sprint 104 (Sep 2023), Sprint 105 (Oct 2023), Sprint 106 (Nov 2023), S2401-1, S2401-2
Story Points: 0.25

 Description   

According to documentation "X-Frame-Options HTTP header" field can accept values:
SAMEORIGIN (default) - the page can only be displayed in a frame on the same origin as the page itself.
DENY - the page cannot be displayed in a frame, regardless of the site attempting to do so.
null - disable X-Frame-options header (not recommended).
Or a list (string) of comma-separated hostnames. If a listed hostname is not among allowed, the SAMEORIGIN option is used.

But only the SAMEORIGIN and DENY values actually work.
 

Precondition:
I have a virtual machine with dns name test-virtualbox which is also available using dns test-virtualbox.local

1. "X-Frame-Options HTTP header" with null
Steps to reproduce:

  1. Open zabbix by link with dns test-virtualbox.local - http://test-virtualbox.local/master
  2. Navigate to Administration → General → Other
  3. Change "X-Frame-Options HTTP header" to null
  4. Go to Dashboard
  5. Create URL widget with URL value http://test-virtualbox/master/zabbix.php?action=dashboard.view (dns test-virtualbox)

Result:
zabbix page doesn't open in widget, message: test-virtualbox refused to connect
error in console: Refused to display 'http://test-virtualbox/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
Expected:
Can open zabbix page in URL widget
Field "X-Frame-Options HTTP header" should be optional. Instead of null value, there should be empty field to disable the X-Frame-options header.

2. "X-Frame-Options HTTP header" with hostname
Steps to reproduce:

  1. Open zabbix by link with dns test-virtualbox.localhttp://test-virtualbox.local/master
  2. Navigate to Administration → General → Other
  3. Fill in "X-Frame-Options HTTP header" hostname test-virtualbox (according to documentation: list (string) of comma-separated hostnames. If a listed hostname is not among allowed, the SAMEORIGIN option is used.)
  4. Go to Dashboard
  5. Create URL widget with URL value http://test-virtualbox/master/zabbix.php?action=dashboard.view (dns test-virtualbox)

Result:
zabbix page doesn't open in widget, message: test-virtualbox refused to connect
Error in console: Invalid 'X-Frame-Options' header encountered when loading 'http://test-virtualbox/': 'ALLOW-FROM test-virtualbox' is not a recognized directive. The header will be ignored.
Expected:
Can open zabbix page in URL widget.
According to X-Frame-Options documentation ALLOW-FROM=url option is deprecated.
This is an obsolete directive that no longer works in modern browsers. The Content-Security-Policy HTTP header has a frame-ancestors directive which you can use instead.

 Comments   
Comment by Bartosz Mickiewicz (Inactive) [ 2022 Dec 07 ]

Hi,

The customer mentioned that without changing the code in layout.htmlpage.php the solution in the documentation doesn't work. 

So, the client introduced this change in his environment. 

 

if ($data['config']['x_frame_options'] !== '') {
to
if ($data['config']['x_frame_options'] !== 'null') {
 

 

Comment by Dmitrijs Fofanovs [ 2023 Apr 03 ]

Resolved in dev branch:

Comment by Dmitrijs Fofanovs [ 2023 Dec 14 ]

Fixed in:

Comment by Arturs Dancis [ 2024 Jan 25 ]

Documentation updated:

  • Introduction > What's new in Zabbix (6.0.26, 6.4.11)
  • Web interface > Frontend sections > Administration > General (6.0, 6.4, 7.0)
Generated at Thu May 08 07:17:07 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.