Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-58036

Check for X-Frame-Options not to have "DENY" value

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.2, 3.3.3, 3.4, Future Dev
    • Fix Version/s: None
    • Component/s: Filepicker
    • Labels:
    • Affected Branches:
      MOODLE_32_STABLE, MOODLE_33_STABLE, MOODLE_34_STABLE

      Description

      Ahead of a system migration (to Debian 9 'stretch') my system adminstrator prepared a webserver for me to use with Moodle.

      After a certain time of usage, we noticed fileupload via 'classical' filepicker and 'edit HTML' in TinyMCE editor did not work due to "Load denied by X-Frame-Options: …/repository/repository_ajax.php?action=upload does not permit framing." errors.

      The httpd setting for X-Frame-Options was the cause.

      It would be nice if in admin/environment.php or upon installation/upgrade there were a check looking after this setting.

      Be aware of this httpd setting. It should at least state
      Header always append X-Frame-Options "SAMEORIGIN"
      instead of
      Header always append X-Frame-Options "DENY"

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                lucaboesch Luca Bösch
                Participants:
                Component watchers:
                Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: