Overriding X-Frame-Options deny

(J. Scott Elblein) #1

I have 2 web apps (Plex web UI and SourceGraph) that I’m trying to add to Organizr. Both of those have set ‘X-Frame-Options’ to ‘deny’, so it won’t load in Organizr.

I get the error: can't load (site) in a frame because it set 'X-Frame-Options' to 'deny' in the console.

Anyone know a way to override this just for my own reverse proxied (RP) domains, but still allow it to deny from all other domains?

I’ve tried these so far in my Caddyfile with no luck.
(note that my.domain.rocks is the RP domain that Organizr is running on; myother.domain.rocks is the RP sourcegraph is running on):

  header / {
    X-Content-Type-Options nosniff
    X-XSS-Protection "1; mode=block"
    X-Frame-Options "allow-from https://my.domain.rocks"
    X-Frame-Options "allow-from https://myother.domain.rocks"
    Strict-Transport-Security "max-age=31536000;"
  }

Also,

  header / {
    X-Content-Type-Options nosniff
    X-XSS-Protection "1; mode=block"
    X-Frame-Options "sameorigin"
    Strict-Transport-Security "max-age=31536000;"
  }

Also tried adding directly to the proxy:

i.e.
header_upstream X-Frame-Options "allow-from domain.rocks"

or,

header_upstream X-Frame-Options "allow-from https://my.domain.rocks"
header_upstream X-Frame-Options "allow-from https://myother.domain.rocks"

or,

header_upstream X-Frame-Options "sameorigin"

None seem to make any difference. Is there a way to do this other than hacking the code of the actual web apps themselves to remove the Deny code, which I really would prefer not doing?

(Matthew Fay) #2

You’re using header_upstream, which sends the header to the app you’re proxying, i.e. as a request header.

You probably want header_downstream, which sends it back to the client as a response header. You’re on the right track, though, but it’s gonna be a slog getting this working, I expect.