ср, 6 окт. 2021 г. в 13:10, Martin Knoblauch <knobi@xxxxxxxxxxxx>:
>
> Hi,
>
> sorry for asking this likely stupid question. This is with Apache HTTPD 2.4.48.
>
> I want to change the value of the X-Frame-Options response header from DENY to SAMEORIGIN. The header is apparently set by Tomcat 9.0.53.
>
> Naively, because the mod_header documentation says "The response header is set, replacing any previous header with this name. The value may be a format string.", I added a single
>
> Header always set X-Frame-Options SAMEORIGIN
>
> to the VirtualHost section of the httpd configuration. To my surprise my browser (FF and Chrome) has two headers now, one with DENY, one with SAMEORIGIN. And falls back to DENY :-(
>
> When I add an unset before the set, it works
>
> Header unset X-Frame-Options
> Header always set X-Frame-Options SAMEORIGIN
>
> Is my understanding of the mod_header documentation wrong, or do I miss somethiong subtle?
See my recent answer in "X-Frame-Options and security" thread.
https://httpd.markmail.org/message/pwsrgbj7pjy4qiei
All is in the docs, if you read carefully, but I agree that it is subtle.
https://httpd.apache.org/docs/2.4/en/mod/mod_headers.html#header
Essentially, (as far as I am reading it), "onsuccess" and "always" are
just names of two separate tables (lists) of headers that exist in
parallel.
<quote>
it does not offer any "normalized" single list of headers
</quote>
Best regards,
Konstantin Kolinko
|