There is no legitimate reason to do this. Setting header X-Frame-Options to "sameorigin" is necessary for displaying some collectd graphs on the WebUI.

Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/httpd/vhosts.d/ipfire-interface-ssl.conf | 1 + config/httpd/vhosts.d/ipfire-interface.conf | 1 + 2 files changed, 2 insertions(+)

diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index dc1151110..de7b8559d 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -23,6 +23,7 @@ Header always set X-Content-Type-Options nosniff Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" Header always set Referrer-Policy strict-origin + Header always set X-Frame-Options sameorigin

<Directory /srv/web/ipfire/html> Options ExecCGI diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index d95fa264f..2cf57dd29 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -9,6 +9,7 @@ Header always set X-Content-Type-Options nosniff Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" Header always set Referrer-Policy strict-origin + Header always set X-Frame-Options sameorigin

<Directory /srv/web/ipfire/html> Options ExecCGI

Hi,

Acked-by: Michael Tremer michael.tremer@ipfire.org

On 4 Nov 2019, at 18:52, peter.mueller@ipfire.org wrote:

By default, even modern browsers sent the URL of ther originating site to another one when accessing hyperlinks. This is an information leak and may expose internal details (such as FQDN or IP address) of an IPFire installation to a third party.

Signed-off-by: Peter Müller peter.mueller@ipfire.org

config/httpd/vhosts.d/ipfire-interface-ssl.conf | 1 + config/httpd/vhosts.d/ipfire-interface.conf | 1 + 2 files changed, 2 insertions(+)

diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 2009184bb..dc1151110 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -22,6 +22,7 @@

Header always set X-Content-Type-Options nosniff
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"

• Header always set Referrer-Policy strict-origin

  <Directory /srv/web/ipfire/html> Options ExecCGI

diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index b70994404..d95fa264f 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -8,6 +8,7 @@

Header always set X-Content-Type-Options nosniff
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"

• Header always set Referrer-Policy strict-origin

  <Directory /srv/web/ipfire/html> Options ExecCGI

-- 2.16.4