Used Zammad installation source: (source, package, …) package APT
Operating system: Ubuntu 18.04
Hi,
i want to display the User Login of our Zammad Server in our Joomla Intranet Website, so i added a iframe on a Joomla Site, but the Zammad Server refuses to display the Login because of ‘X-Frame-Options’ set to ‘sameorigin’. Where can i change that behavior?
No one any idea, where that X-Frame-Options sameorigin is comming from? When i add a line into nginx with add_header X-Frame-Options 'allow-from http://my.intra.net'; i can see that this option is added to the X-Frame-Options. I think this comes from Zammad it self.
X-Frame-Options => “SAMEORIGIN” is a default security behaviour of Ruby on Rails.
Try looking into (versions may differ at your installation):
$ZAMMAD_DIR/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.6.1/lib/action_dispatch/railtie.rb
You can easily find there some security options which may solve your issues. You can just try to change “SAMEORIGIN” to “ALLOWALL”. Also you may need to play with XSS options.
Be aware that this is a potential security issue. Software like Zammad can contain information crucial to your business so be careful with these options.