Unnecessary X-Frame-Options warning in admin panel with header set to DENY

[eppfel]

Steps to reproduce

1. Set HTTP header "X-Frame-Options" to "DENY" on your server
2. Open the Admin panel in your browser

   Expected behaviour

There should not be a warning.

Actual behaviour

A Warning is placed in the Admin panel: The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting. The warning is not incorrect as it states a "potential" risk, but it is annoying after spending 1-2 hours fixing all warnings.

Server configuration

CentOS Apache 2.2 MySQL PHP 5.6 9.0.1 (stable) fresh install Web Installer

Signing status (ownCloud 9.0 and above): No errors have been found.

List of activated apps:

Enabled:

• activity: 2.2.1
• calendar: 1.0
• comments: 0.2
• contacts: 1.1.0.0
• dav: 0.1.6
• external: 1.2
• federatedfilesharing: 0.1.0
• federation: 0.0.4
• files: 1.4.4
• files_sharing: 0.9.1
• files_texteditor: 2.1
• files_trashbin: 0.8.0
• files_versions: 1.2.0
• files_videoplayer: 0.9.8
• firstrunwizard: 1.1
• gallery: 14.5.0
• notifications: 0.2.3
• provisioning_api: 0.4.1
• systemtags: 0.2
• templateeditor: 0.1
• updatenotification: 0.1.0 Disabled:
• encryption
• files_external
• files_pdfviewer
• user_external
• user_ldap

The content of config/config.php:

{
    "system": {
        "instanceid": "ocztm7fxpnfx",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "epp.cloud"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/epp.cloud",
        "dbtype": "mysql",
        "version": "9.0.1.3",
        "dbname": "eppcloud",
        "dbhost": "localhost",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "loglevel": 1,
        "filelocking.enabled": "true",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "\/home\/eppcloud\/.redis\/sock",
            "port": 0,
            "timeout": 0
        },
        "forcessl": true
    },
    "apps": {
        "activity": {
            "enabled": "yes",
            "installed_version": "2.2.1",
            "types": "filesystem"
        },
        "backgroundjob": {
            "lastjob": "2"
        },
        "calendar": {
            "enabled": "yes",
            "installed_version": "1.0",
            "ocsid": "168707",
            "types": ""
        },
        "comments": {
            "enabled": "yes",
            "installed_version": "0.2",
            "types": "logging"
        },
        "contacts": {
            "enabled": "yes",
            "installed_version": "1.1.0.0",
            "ocsid": "168708",
            "types": ""
        },
        "core": {
            "backgroundjobs_mode": "cron",
            "installedat": "1460404187.1843",
            "lastcron": "1460459664",
            "lastupdateResult": "{\"version\":{},\"versionstring\":{},\"url\":{},\"web\":{}}",
            "lastupdatedat": "1460458587",
            "oc.integritycheck.checker": "[]",
            "public_files": "files_sharing\/public.php",
            "public_webdav": "dav\/appinfo\/v1\/publicwebdav.php",
            "remote_caldav": "dav\/appinfo\/v1\/caldav.php",
            "remote_calendar": "dav\/appinfo\/v1\/caldav.php",
            "remote_carddav": "dav\/appinfo\/v1\/carddav.php",
            "remote_contacts": "dav\/appinfo\/v1\/carddav.php",
            "remote_dav": "dav\/appinfo\/v2\/remote.php",
            "remote_files": "dav\/appinfo\/v1\/webdav.php",
            "remote_webdav": "dav\/appinfo\/v1\/webdav.php"
        },
        "dav": {
            "enabled": "yes",
            "installed_version": "0.1.6",
            "types": "filesystem"
        },
        "external": {
            "enabled": "yes",
            "installed_version": "1.2",
            "ocsid": "166046",
            "types": ""
        },
        "federatedfilesharing": {
            "enabled": "yes",
            "installed_version": "0.1.0",
            "types": ""
        },
        "federation": {
            "enabled": "yes",
            "installed_version": "0.0.4",
            "types": "authentication"
        },
        "files": {
            "cronjob_scan_files": "500",
            "enabled": "yes",
            "installed_version": "1.4.4",
            "types": "filesystem"
        },
        "files_pdfviewer": {
            "enabled": "no",
            "installed_version": "0.8",
            "ocsid": "166049",
            "types": ""
        },
        "files_sharing": {
            "enabled": "yes",
            "installed_version": "0.9.1",
            "types": "filesystem"
        },
        "files_texteditor": {
            "enabled": "yes",
            "installed_version": "2.1",
            "ocsid": "166051",
            "types": ""
        },
        "files_trashbin": {
            "enabled": "yes",
            "installed_version": "0.8.0",
            "types": "filesystem"
        },
        "files_versions": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "types": "filesystem"
        },
        "files_videoplayer": {
            "enabled": "yes",
            "installed_version": "0.9.8",
            "types": ""
        },
        "firstrunwizard": {
            "enabled": "yes",
            "installed_version": "1.1",
            "ocsid": "166055",
            "types": ""
        },
        "gallery": {
            "enabled": "yes",
            "installed_version": "14.5.0",
            "types": ""
        },
        "notifications": {
            "enabled": "yes",
            "installed_version": "0.2.3",
            "types": "logging"
        },
        "provisioning_api": {
            "enabled": "yes",
            "installed_version": "0.4.1",
            "types": "prevent_group_restriction"
        },
        "systemtags": {
            "enabled": "yes",
            "installed_version": "0.2",
            "types": "logging"
        },
        "templateeditor": {
            "enabled": "yes",
            "installed_version": "0.1",
            "types": ""
        },
        "updatenotification": {
            "enabled": "yes",
            "installed_version": "0.1.0",
            "types": ""
        }
    }
}

Are you using encryption: no

Client configuration

Browser: Chrome 49 Operating system: MacOS 10.10.5

Logs

Browser log

{
  "log": {
    "version": "1.2",
    "creator": {
      "name": "WebInspector",
      "version": "537.36"
    },
    "pages": [
      {
        "startedDateTime": "2016-04-12T20:43:24.062Z",
        "id": "page_1",
        "title": "https://epp.cloud/index.php/settings/admin",
        "pageTimings": {
          "onContentLoad": 4182.437000039499,
          "onLoad": 4723.071000014897
        }
      }
    ],
    "entries": [
      {
        "startedDateTime": "2016-04-12T20:43:24.062Z",
        "time": 223.7569999997504,
        "request": {
          "method": "GET",
          "url": "https://epp.cloud/index.php/settings/admin",
          "httpVersion": "HTTP/1.1",
          "headers": [
            {
              "name": "Pragma",
              "value": "no-cache"
            },
            {
              "name": "Accept-Encoding",
              "value": "gzip, deflate, sdch"
            },
            {
              "name": "Host",
              "value": "epp.cloud"
            },
            {
              "name": "Accept-Language",
              "value": "en-US,en;q=0.8,de-DE;q=0.6,de;q=0.4,bs;q=0.2"
            },
            {
              "name": "Upgrade-Insecure-Requests",
              "value": "1"
            },
            {
              "name": "User-Agent",
              "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36"
            },
            {
              "name": "Accept",
              "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
            },
            {
              "name": "Cache-Control",
              "value": "no-cache"
            },
            {
              "name": "Cookie",
              "value": "***removed***"
            },
            {
              "name": "Connection",
              "value": "keep-alive"
            }
          ],
          "queryString": [],
          "cookies": "***removed***",
          "headersSize": 729,
          "bodySize": 0
        },
        "response": {
          "status": 200,
          "statusText": "OK",
          "httpVersion": "HTTP/1.1",
          "headers": [
            {
              "name": "Date",
              "value": "Tue, 12 Apr 2016 20:43:24 GMT"
            },
            {
              "name": "Strict-Transport-Security",
              "value": "max-age=15768000"
            },
            {
              "name": "X-Content-Type-Options",
              "value": "nosniff"
            },
            {
              "name": "X-Permitted-Cross-Domain-Policies",
              "value": "none"
            },
            {
              "name": "X-Powered-By",
              "value": "PHP/5.6.20"
            },
            {
              "name": "Transfer-Encoding",
              "value": "chunked"
            },
            {
              "name": "Connection",
              "value": "close"
            },
            {
              "name": "X-XSS-Protection",
              "value": "1; mode=block"
            },
            {
              "name": "Pragma",
              "value": "no-cache"
            },
            {
              "name": "Server",
              "value": "Apache/2.2.15 (CentOS)"
            },
            {
              "name": "X-Download-Options",
              "value": "noopen"
            },
            {
              "name": "X-Frame-Options",
              "value": "DENY"
            },
            {
              "name": "Content-Type",
              "value": "text/html; charset=UTF-8"
            },
            {
              "name": "Cache-Control",
              "value": "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"
            },
            {
              "name": "Content-Security-Policy",
              "value": "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *"
            },
            {
              "name": "X-Robots-Tag",
              "value": "none"
            },
            {
              "name": "Expires",
              "value": "Thu, 19 Nov 1981 08:52:00 GMT"
            }
          ],
          "cookies": [],
          "content": {
            "size": 34457,
            "mimeType": "text/html",
            "compression": -13
          },
          "redirectURL": "",
          "headersSize": 760,
          "bodySize": 34470,
          "_transferSize": 35230
        },
        "cache": {},
        "timings": {
          "blocked": 0.52900001173839,
          "dns": 38.00599998794501,
          "connect": 23.5040000407025,
          "send": 0.1009999541565989,
          "wait": 137.9210000159215,
          "receive": 23.695999989286406,
          "ssl": 14.629000041168098
        },
        "connection": "239059",
        "pageref": "page_1"
      }
    ]
  }
}

I guess the security test just checks against "sameorigin", but not "deny". If some points me, where this might be fixed. I am willing to create a PR.

[LukasReschke]

Good catch. While the error message is not super accurate on this one it actually points out a valid problem. ownCloud relies in some cases on iframes to work properly (also for enhanced security such as sandboxing purposes) and a policy of DENY would break some stuff.

I'd accept a patch that adjust this warning for this case a bit. But we should warn about stuff that could break.

The code can be found at https://github.com/owncloud/core/blob/a2da7614a0516d1e1c07ef60b308645d7a8ad480/core/js/setupchecks.js#L223-L253, the unit tests at https://github.com/owncloud/core/blob/a2da7614a0516d1e1c07ef60b308645d7a8ad480/core/js/tests/specs/setupchecksSpec.js

[eppfel]

Ok, never encountered iframes inside ownCloud, but if it could break stuff, I will change my header back to "sameorigin".

So, yeah, basically this ticket points out that the warnings are to generic. I'll gladly have a look into it in the future. Btw, thx for an awesome product!