Cannot adjust X-Frame-Options

LukeSkywalker · May 10, 2022, 12:46am

Infos:

Used Zammad version: VERSION=-5.1.0-4
Used Zammad installation type: (docker-compose)
Operating system: Debian
Browser + version: Firefox latest

Expected behavior:

Make Zammad embedable as iFrame by setting X-Frame-Options from “SAMEORIGIN” to “ALLOW-FROM”.

I added the following line to production.rb in ZAMMAD_DIR/config/environments/production.rb

config.action_dispatch.default_headers = { 'X-Frame-Options' => 'ALLOW-FROM http://some-origin.com' }

Actual behavior:

Every time I rastart the container the config is gone and X-Frame-Options is set to SAMEORIGIN.

Possible Solution

Adjust zammad-init-container?

TomGem · May 10, 2022, 3:28pm

a) copy and map production.rb to a persistent docker volume

b) instead of docker use the package version of Zammad

MrGeneration · May 10, 2022, 3:42pm

Dear future anon finding this thread.
Please note that changing any source code files is connected with possible dangers and issues that you will be alone with.

Changing X-Frame options of Zammad is a very dangerous operation.
While the settings may seem a bit too paranoid, they were chosen that way for very good reasons: Your security.

TomGem · May 10, 2022, 6:58pm

True.
Of course I was only generally speaking on how to make a change in a docker container permanent.

LukeSkywalker · May 10, 2022, 7:53pm

@TomGem Package is not an option, since I am running other web services behind a reverse proxy. Will try directly mounting the file into the docker container. The general idea came to mind, but I was tired after an all nighter this morning so decided to first post the question. Will report back, whether it worked as expected or whether I run into any issues…

@MrGeneration Could you elaborate on potential dangers in general and specifially when allowing access from a authentication protected route of a webapp that is only reachable through VPN?

MrGeneration · May 10, 2022, 9:16pm

Adjusting X-Frame options is always a potential danger.
It’s not directly pinned to your situation but a general warning to our dear copy cats out there.

Adjust X-Frame headers may cause possible cross site issues that could be introduced or similar.

system · September 7, 2022, 9:17pm

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.