Apache 2.4: Header unset in <Location> does not work
Solution 1
Here are my insights for this:
The main problem, why my Header statements are not executed inside the Location-Directive lies in mod_rewrite.
Once a request with a virtual URL like /anotherURL
, for which no physical entity exists, comes in, mod_rewrite imediatly begins to apply it's rules. Here it maps it to /index.php
and pushes the information /anotherURL
into GET-Parameters, which are used lateron to identify the Typo3 page.
This explains why the Header statements are not executed, the Location of the request has changed.
Now to the solution, which works for me. Since i cannot rely on the URL i have to find another information. For me the Referer suits me just fine:
SetEnvIf Referer ^https:\/\/www.(location1|location2).de\/test\.html$ IFRAME_ENV
Header always set X-Frame-Options "sameorigin" env=!IFRAME_ENV
Will do the trick.
Now for every request the referer is checked. By default the X-Frame-Otions Header is added, except when the referer is set to the two URLs, from which i want to allow iFrame embedding.
If anyone know how to apply Location directives before mod_rewrite kicks in, i am very open minded for such a solution :) Until when this seems to work for me.
Thanks for everyone for the support.
Solution 2
Try this:
<Location /anotherURL>
Header always unset X-Frame-Options
Header unset X-Frame-Options
</Location>
Had same thing with Jboss backend not unsetting a header and above fixed it. Can't remember why again now (something to do with order of processing when including always
keyword).
Tobias Wolf
Updated on September 18, 2022Comments
-
Tobias Wolf over 1 year
We are running apache 2.4 in order to serve our typo3 generated websites.
In general we want to have the
X-Frame-Options SAMEORIGIN
Header present for all requests.With one exception. For a specific URL this Header should be unset, since it has to be used inside an iFrame from another domain.
So I added something like this:
Header always set X-Frame-Options SAMEORIGIN <Location /anotherURL> Header always unset X-Frame-Options </Location>`
When I try to request the given URL
https://www.example.com/
I see theX-Frame-Options
-Header in the Response, but withhttps://www.example.com/anotherURL
this Header is still present.I have checked that the Location directive is actually processed by adding a
Require all denied
to the Location directive. With this active, the access to the URL/anotherURL
is denied, as expected.If I change the Location from
/anotherURL
to/typo3
the unset works as expected.The only difference I see between these two URLS is that
/typo3
exists in the directory structure under htdocs thereas/anotherURL
is a URL processed by Typo3.My question now is, why does Apache ignore my Header unset command? From Apaches point of view it should be ignorant of what Typo3 is doing, once it generates the reponse header the Location-Directive should match (which it is obviously doing) and the process the commands inside.
I have browsed some of the other questions regarding problems with unsetting of HTTP headers, but no suggestion has solved my specific problem.
-
Tobias Wolf almost 8 yearsThanks, for your answer. Just tried it in my setup, but it did not work for me. The X-Frame-Options Header is still send back from Apache. Even a
Header always set testheader "TEST"
will be ignored inside the Location-Element. -
Barry Pollard almost 8 yearsSounds like a problem with your Location directive then. Anything in the Apache error logs?
-
Tobias Wolf almost 8 yearsYeah, this was my thought also. But if i add a statement like
Deny from all
to the Location directive, the specific URL is not reachable any more. So the directive is recognized by Apache, but somehow it seems that the Response Headers cannot be modified in this case. -
Tobias Wolf almost 8 yearsHere are my new insights about this topic. I think the reason for this behaviours lies in the rewrite rules. The request URL /anotherURL is already mapped to index.php and then any Stuff in a <Location>-Direktive is executed. If i change <Location /anotherURL> to <Location /index.php> at last the statements of the directice are executed. But now the information upon which i wanted to handle the different logic is lost to me. I have already tried to set an env variable by the time mod_rewrite handles the request with: RewriteRule ^anotherURL/$ - [E=anotherURL]
-
Tobias Wolf almost 8 yearsBut this variable seems not to be accessible for the Header Direktive, since a Header always unset X-Frame-Options env=anotherURL is not executed.