Configure the X-Frame-Options add_headers correctly

[Maddmax76]

Good morning. I'm trying to integrate the Knowledge Base module widget into my intranet site. Clicking on the popup tells me that the site refused the connection. This is because my Apache is configured to avoid cross-site scripting (XSS) attacks. The setting that blocks attacks should be add_header X-Frame-Options set to "SAMEORIGIN".

I would also like to allow intranet servers to access the Knowledge Base, web servers can be reached by entering the same domain as the FreeScout server.

I would like help on how to configure my Apache to allow the opening of iframes also from certain URLs or IP addresses as well as from SAMEORIGIN.

Thank you!

PHP version: PHP 8.2.10-2ubuntu1 FreeScout version: 1.8.137 Database: MySQL / PostgreSQL: Mysql (8.0.35) Are you using CloudFlare: Yes / No: NO

[freescout-helpdesk]

There are some instructions in the Troubleshooting section of https://freescout.net/module/knowledge-base/

[Maddmax76]

thanks for the suggestion, starting from that article I learned that to allow multiple sources it is necessary to use the "ALLOW-FROM origin" directive of the X-Frame-Options, which however is obsolete, and some browsers may ignore it. To solve the problem you need to use the Content-Security-Policy, in which the "frame-ancestors" directive gives the possibility to specify a list of addresses from which it is possible to open FreeScout and the Knowledge Base:

Header set Content-Security-Policy "frame-ancestors 'self' address1 address2 .... addressN;"

[freescout-helpdesk]

Try to add the following parameter in the .env file and clear cache:

APP_CSP_CUSTOM="; frame-ancestors 'self' https://example.org;"

[Maddmax76]

thanks for this other solution, I will try to apply it if after a trial period I still encounter difficulties, for now the CSP frame-ancestors declared in the Apache security configuration seem to work.

Thanks again