ср, 6 окт. 2021 г. в 13:10, Martin Knoblauch <knobi@xxxxxxxxxxxx>: > > Hi, > > sorry for asking this likely stupid question. This is with Apache HTTPD 2.4.48. > > I want to change the value of the X-Frame-Options response header from DENY to SAMEORIGIN. The header is apparently set by Tomcat 9.0.53. > > Naively, because the mod_header documentation says "The response header is set, replacing any previous header with this name. The value may be a format string.", I added a single > > Header always set X-Frame-Options SAMEORIGIN > > to the VirtualHost section of the httpd configuration. To my surprise my browser (FF and Chrome) has two headers now, one with DENY, one with SAMEORIGIN. And falls back to DENY :-( > > When I add an unset before the set, it works > > Header unset X-Frame-Options > Header always set X-Frame-Options SAMEORIGIN > > Is my understanding of the mod_header documentation wrong, or do I miss somethiong subtle? See my recent answer in "X-Frame-Options and security" thread. https://httpd.markmail.org/message/pwsrgbj7pjy4qiei All is in the docs, if you read carefully, but I agree that it is subtle. https://httpd.apache.org/docs/2.4/en/mod/mod_headers.html#header Essentially, (as far as I am reading it), "onsuccess" and "always" are just names of two separate tables (lists) of headers that exist in parallel. <quote> it does not offer any "normalized" single list of headers </quote> Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|