'Re: [users@httpd] Stupid question on mod_header'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-users
Subject:    Re: [users@httpd] Stupid question on mod_header
From:       Martin Knoblauch <knobi () knobisoft ! de>
Date:       2021-10-11 14:10:32
Message-ID: CAJtcoLasyw8uwGJkN-ck_fKOCbziVZuTp2hRzFJTfJS7rzhGHA () mail ! gmail ! com
[Download RAW message or body]

On Wed, Oct 6, 2021 at 8:58 PM Konstantin Kolinko <knst.kolinko@gmail.com>
wrote:

> ср, 6 окт. 2021 г. в 13:10, Martin Knoblauch <knobi@knobisoft.de>:
> >
> > Hi,
> >
> >  sorry for asking this likely stupid question. This is with Apache HTTPD
> 2.4.48.
> >
> > I want to change the value of the X-Frame-Options response header from
> DENY to SAMEORIGIN. The header is apparently set by Tomcat 9.0.53.
> >
> > Naively, because the mod_header documentation says "The response header
> is set, replacing any previous header with this name. The value may be a
> format string.", I added a single
> >
> >     Header always set X-Frame-Options SAMEORIGIN
> >
> > to the VirtualHost section of the httpd configuration. To my surprise my
> browser (FF and Chrome) has two headers now, one with DENY, one with
> SAMEORIGIN. And falls back to DENY :-(
> >
> > When I add an unset before the set, it works
> >
> >     Header unset X-Frame-Options
> >     Header always set X-Frame-Options SAMEORIGIN
> >
> > Is my understanding of the mod_header documentation wrong, or do I miss
> somethiong subtle?
>
> See my recent answer in "X-Frame-Options and security" thread.
> https://httpd.markmail.org/message/pwsrgbj7pjy4qiei
>
> All is in the docs, if you read carefully, but I agree that it is subtle.
> https://httpd.apache.org/docs/2.4/en/mod/mod_headers.html#header
>
> Essentially, (as far as I am reading it), "onsuccess" and "always" are
> just names of two separate tables (lists) of headers that exist in
> parallel.
>
> <quote>
> it does not offer any "normalized" single list of headers
> </quote>
>
> Best regards,
> Konstantin Kolinko
>
>
Hi Konstantin,

 OK, so I apparently did not read carefully enough and got the
onsuccess/always meaning wrong. Subtle indeed :-)

Anyway, I solved my problem at the root and convinced Spring Websecurity to
the "right" header value in the first place.

Cheers
Martin

-- 
------------------------------------------------------
Martin Knoblauch
email: k n o b i AT knobisoft DOT de
www: http://www.knobisoft.de

[Attachment #3 (text/html)]

<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Wed, Oct 6, 2021 at 8:58 PM Konstantin Kolinko &lt;<a \
href="mailto:knst.kolinko@gmail.com">knst.kolinko@gmail.com</a>&gt; \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">ср, 6 окт. 2021 \
г. в 13:10, Martin Knoblauch &lt;<a href="mailto:knobi@knobisoft.de" \
target="_blank">knobi@knobisoft.de</a>&gt;:<br> &gt;<br>
&gt; Hi,<br>
&gt;<br>
&gt;   sorry for asking this likely stupid question. This is with Apache HTTPD \
2.4.48.<br> &gt;<br>
&gt; I want to change the value of the X-Frame-Options response header from DENY to \
SAMEORIGIN. The header is apparently set by Tomcat 9.0.53.<br> &gt;<br>
&gt; Naively, because the mod_header documentation says &quot;The response header is \
set, replacing any previous header with this name. The value may be a format \
string.&quot;, I added a single<br> &gt;<br>
&gt;        Header always set X-Frame-Options SAMEORIGIN<br>
&gt;<br>
&gt; to the VirtualHost section of the httpd configuration. To my surprise my browser \
(FF and Chrome) has two headers now, one with DENY, one with SAMEORIGIN. And falls \
back to DENY :-(<br> &gt;<br>
&gt; When I add an unset before the set, it works<br>
&gt;<br>
&gt;        Header unset X-Frame-Options<br>
&gt;        Header always set X-Frame-Options SAMEORIGIN<br>
&gt;<br>
&gt; Is my understanding of the mod_header documentation wrong, or do I miss \
somethiong subtle?<br> <br>
See my recent answer in &quot;X-Frame-Options and security&quot; thread.<br>
<a href="https://httpd.markmail.org/message/pwsrgbj7pjy4qiei" rel="noreferrer" \
target="_blank">https://httpd.markmail.org/message/pwsrgbj7pjy4qiei</a><br> <br>
All is in the docs, if you read carefully, but I agree that it is subtle.<br>
<a href="https://httpd.apache.org/docs/2.4/en/mod/mod_headers.html#header" \
rel="noreferrer" target="_blank">https://httpd.apache.org/docs/2.4/en/mod/mod_headers.html#header</a><br>
 <br>
Essentially, (as far as I am reading it), &quot;onsuccess&quot; and \
&quot;always&quot; are<br> just names of two separate tables (lists) of headers that \
exist in<br> parallel.<br>
<br>
&lt;quote&gt;<br>
it does not offer any &quot;normalized&quot; single list of headers<br>
&lt;/quote&gt;<br>
<br>
Best regards,<br>
Konstantin Kolinko<br>
<br>
</blockquote></div><br clear="all"><div>Hi Konstantin,</div><div><br></div><div>  OK, \
so I apparently did not read carefully enough and got the onsuccess/always meaning \
wrong. Subtle indeed :-)</div><div><br></div><div>Anyway, I solved my problem at the \
root and convinced Spring Websecurity to the &quot;right&quot; header value in the \
first place.</div><div><br></div><div>Cheers</div><div>Martin</div><br>-- <br><div \
dir="ltr" class="gmail_signature"><div \
dir="ltr">------------------------------------------------------<br>Martin \
Knoblauch<br>email: k n o b i AT knobisoft DOT de<br>www:   <a \
href="http://www.knobisoft.de" \
target="_blank">http://www.knobisoft.de</a></div></div></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic