Home / server / Questions / 792728
In Process
Tobias Wolf
Asked: 2016-07-30 06:00:57 +0800 CST

Apache 2.4: Header unset in <Location> does not work

  • 772

We are running apache 2.4 in order to serve our typo3 generated websites.

In general we want to have the X-Frame-Options SAMEORIGIN Header present for all requests.

With one exception. For a specific URL this Header should be unset, since it has to be used inside an iFrame from another domain.

So I added something like this:

Header always set X-Frame-Options SAMEORIGIN

<Location /anotherURL>
    Header always unset X-Frame-Options
</Location>`

When I try to request the given URL https://www.example.com/ I see the X-Frame-Options-Header in the Response, but with https://www.example.com/anotherURL this Header is still present.

I have checked that the Location directive is actually processed by adding a Require all denied to the Location directive. With this active, the access to the URL /anotherURL is denied, as expected.

If I change the Location from /anotherURL to /typo3 the unset works as expected.

The only difference I see between these two URLS is that /typo3 exists in the directory structure under htdocs thereas /anotherURL is a URL processed by Typo3.

My question now is, why does Apache ignore my Header unset command? From Apaches point of view it should be ignorant of what Typo3 is doing, once it generates the reponse header the Location-Directive should match (which it is obviously doing) and the process the commands inside.

I have browsed some of the other questions regarding problems with unsetting of HTTP headers, but no suggestion has solved my specific problem.

typo3 apache-2.4 http-headers x-frame-options

2 Answers

  1. Here are my insights for this:

    The main problem, why my Header statements are not executed inside the Location-Directive lies in mod_rewrite.

    Once a request with a virtual URL like /anotherURL, for which no physical entity exists, comes in, mod_rewrite imediatly begins to apply it's rules. Here it maps it to /index.php and pushes the information /anotherURL into GET-Parameters, which are used lateron to identify the Typo3 page.

    This explains why the Header statements are not executed, the Location of the request has changed.

    Now to the solution, which works for me. Since i cannot rely on the URL i have to find another information. For me the Referer suits me just fine:

    SetEnvIf Referer ^https:\/\/www.(location1|location2).de\/test\.html$ IFRAME_ENV Header always set X-Frame-Options "sameorigin" env=!IFRAME_ENV

    Will do the trick.

    Now for every request the referer is checked. By default the X-Frame-Otions Header is added, except when the referer is set to the two URLs, from which i want to allow iFrame embedding.

    If anyone know how to apply Location directives before mod_rewrite kicks in, i am very open minded for such a solution :) Until when this seems to work for me.

    Thanks for everyone for the support.

    • 3

  2. Try this:

    <Location /anotherURL>
    Header always unset X-Frame-Options
    Header unset X-Frame-Options
</Location>

    Had same thing with Jboss backend not unsetting a header and above fixed it. Can't remember why again now (something to do with order of processing when including always keyword).

    • 1