Multiple 'X-Frame-Options' headers with conflicting values ('SAMEORIGIN, DENY')

  • Resolved knnleow

    (@knnleow)


    8 years, 4 months ago

    any advice on this issue i encountered while trying to import my wordpress xml backup from another server.

    this used to work when Self Signed SSL Cert was used. i now install Letsencrypt SSL and import seem to fail now.

    i did the recommended setting in the nginx “default” file to allow SAMEORIGIN, but still not able to get import.php to run.

    this is the export import source and destination.
    export from: https://knnubt05oc.kuenn.co:443
    import to: https://knnubt05oc.kuenn.co:49086
    Note that i am using the same Letsencrypt Cert as the servers are the same ipAddress.

    below is error seem by inspect (both google and firefox show same error)

    Multiple 'X-Frame-Options' headers with conflicting values ('SAMEORIGIN, DENY') encountered when loading 'https://knnubt05oc.kuenn.co:49086/wp-admin/plugin-install.php?tab=plugin-information&plugin=wordpress-importer&from=import&'. Falling back to 'DENY'.

    Refused to display ‘https://knnubt05oc.kuenn.co:49086/wp-admin/plugin-install.php?tab=plugin-information&plugin=wordpress-importer&from=import&’ in a frame because it set ‘X-Frame-Options’ to ‘SAMEORIGIN, DENY’.

    `Uncaught SecurityError: Failed to read the ‘contentDocument’ property from ‘HTMLIFrameElement’: Sandbox access violation: Blocked a frame at “https://knnubt05oc.kuenn.co:49086” from accessing a frame at “https://knnubt05oc.kuenn.co:49086”. The frame being accessed is sandboxed and lacks the “allow-same-origin” flag.

Viewing 10 replies - 1 through 10 (of 10 total)
  • Thread Starter knnleow

    (@knnleow)

    problem solve.
    my bad…..sorry for the noise……..

    there is duplicate setting in two places for the same config.

    i removed the duplicate entry in /etc/nginx/site-available/default config file.

    update my /etc/nginx/snippets/ssl-dhparams.conf to
    :
    #add_header X-Frame-Options DENY;
    add_header X-Frame-Options SAMEORIGIN;

    wordpress import.php is working now.

    Thanks for sharing the solution. Saved my day ??

    Thanks, man!!!

    Hi, knnleow.

    Could you give more details about the duplicate setting in /etc/nginx/site-available/default config file.

    I updated the “/etc/nginx/snippets/ssl-params.conf” as follow,

    #add_header X-Frame-Options DENY;
    add_header X-Frame-Options SAMEORIGIN;

    But it didn’t work for me, please help.

    Thanks,
    Don

    You need to restart the nginx service in order to changes take effect.
    Or in case you already did that, give more info about the problem you have.

    Hi, cromodder. Thank you for your reply.

    Here is the console error by Safari.

    Multiple 'X-Frame-Options' headers with conflicting values ('ALLOW-FROM https://host/wp-admin/customize.php, SAMEORIGIN') encountered when loading 'https://host/?customize_changeset_uuid=uuid&customize_theme=twentyseventeen&customize_messenger_channel=preview-0'. Falling back to 'DENY'.

Refused to display 'https://host/?customize_changeset_uuid=uuid&customize_theme=twentyseventeen&customize_messenger_channel=preview-0' in a frame because it set 'X-Frame-Options' to 'ALLOW-FROM https://host/wp-admin/customize.php, SAMEORIGIN'.

    I guess you have more than one add_header X-Frame-Options added in your config files. Note that nginx can take multiple .conf files so try to locate where you’re adding the second X-Frame-Options header and remove it. (And ofc restart nginx afterwards)
    My knowledge with the server configuration is very limited so can’t help you more than that..

    Bad news, sudo grep -R "X-Frame-Options" /etc/nginx/ return only one result.

    @knnleow Thanks mate. You saved me a ton of time debugging this

    @donlychan The default value in these “recommended” ssl settings. Is to deny frames. So change the DENY in the end of that line to SAME-ORIGIN

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Multiple 'X-Frame-Options' headers with conflicting values ('SAMEORIGIN, DENY')’ is closed to new replies.