[Bug]: X-Frame-Options is obsoleted by CSP frame-ancestors and is not checked in security overview #34748
Open
Description
⚠️ This issue respects the following points: ⚠️
- This is a bug, not a question or a configuration/webserver/proxy issue.
- This issue is not already reported on Github (I've searched it).
- Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- Nextcloud Server is running on 64bit capable CPU, PHP and OS.
- I agree to follow Nextcloud's Code of Conduct.
Bug description
X-Frame-Options has been obsoleted by Content-Security-Policy's frame-ancestors directive and the security check should pass if either are present, instead of just checking X-Frame-Options. Documentation and the server scanner may also need to be updated if this change is made.
Steps to reproduce
- Set header
Content-Security-Policy: frame-ancestors 'self' https://somesite.com - Visit the server security overview page or test the server with the server scanner
- Receive warning about
X-Frame-Options
Expected behavior
Only show warning if both X-Frame-Options and Content-Security-Policy are missing, potentially encourage users to include CSP frame-ancestors instead of/and replace SAMEORIGIN.
Installation method
No response
Operating system
No response
PHP engine version
No response
Web server
No response
Database engine version
No response
Is this bug present after an update or on a fresh install?
No response
Are you using the Nextcloud Server Encryption module?
No response
What user-backends are you using?
- Default user-backend (database)
- LDAP/ Active Directory
- SSO - SAML
- Other
Configuration report
No response
List of activated Apps
unnecessaryNextcloud Signing status
No response
Nextcloud Logs
No response
Additional info
No response