Cannot adjust X-Frame-Options


  • Used Zammad version: VERSION=-5.1.0-4
  • Used Zammad installation type: (docker-compose)
  • Operating system: Debian
  • Browser + version: Firefox latest

Expected behavior:

Make Zammad embedable as iFrame by setting X-Frame-Options from “SAMEORIGIN” to “ALLOW-FROM”.

I added the following line to production.rb in ZAMMAD_DIR/config/environments/production.rb

config.action_dispatch.default_headers = { 'X-Frame-Options' => 'ALLOW-FROM' }

Actual behavior:

Every time I rastart the container the config is gone and X-Frame-Options is set to SAMEORIGIN.

Possible Solution

Adjust zammad-init-container?

a) copy and map production.rb to a persistent docker volume

b) instead of docker use the package version of Zammad

Dear future anon finding this thread.
Please note that changing any source code files is connected with possible dangers and issues that you will be alone with.

Changing X-Frame options of Zammad is a very dangerous operation.
While the settings may seem a bit too paranoid, they were chosen that way for very good reasons: Your security.

Of course I was only generally speaking on how to make a change in a docker container permanent. :innocent:

@TomGem Package is not an option, since I am running other web services behind a reverse proxy. Will try directly mounting the file into the docker container. The general idea came to mind, but I was tired after an all nighter this morning so decided to first post the question. Will report back, whether it worked as expected or whether I run into any issues…

@MrGeneration Could you elaborate on potential dangers in general and specifially when allowing access from a authentication protected route of a webapp that is only reachable through VPN?

Adjusting X-Frame options is always a potential danger.
It’s not directly pinned to your situation but a general warning to our dear copy cats out there.

Adjust X-Frame headers may cause possible cross site issues that could be introduced or similar.

1 Like

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.