Probably because the header is being added later in =
a different sub-context.
That =
is, at the time apache sets the header for virtual host there is no other h=
eader of the same name defined, so there is nothing to eliminate and set in=
stead, but then the path for the reverse proxy to tomcat is being evaluated=
later.
I would suppose =
setting it in the specific location for the path that leads to tomcat thing=
s would be different.
In=
any case try and see.
R=
egards.
=
x #ccc solid;padding-left:1ex">Hi,
v>
=C2=A0sorry for asking this likely stupid question. This is with Apa=
che HTTPD 2.4.48.
I want to change the value of th=
e X-Frame-Options response header from DENY to SAMEORIGIN. The header is ap=
parently set by Tomcat 9.0.53.
Naively, because th=
e mod_header documentation says "The response header is set, replacing=
any previous header
with this name. The value may be a format string.", I a=
dded a single
=C2=A0=C2=A0=C2=A0 Header always set=
X-Frame-Options SAMEORIGIN
to the VirtualHost sec=
tion of the httpd configuration. To my surprise my browser (FF and Chrome) =
has two headers now, one with DENY, one with SAMEORIGIN. And falls back to =
DENY :-(
When I add an unset before the set, it wo=
rks
=C2=A0=C2=A0=C2=A0 Header unset X-Frame-Option=
s
=C2=A0=C2=A0=C2=A0 Header always set X-Frame-Options SAMEORIGIN=
Is my understanding of the mod_header documentati=
on wrong, or do I miss somethiong subtle?
Cheersdiv>
Martin
--
il_signature">
--------------------------------------------=
----------
Martin Knoblauch
email: k n o b i AT knobisoft DOT de
w=
ww:
er">http://www.knobisoft.de
--00000000000047087a05cdae7d34--
--===============0738476322==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Hangout mailing list
Hangout-at-nylxs.com
http://lists.mrbrklyn.com/mailman/listinfo/hangout
--===============0738476322==--
--===============0738476322==
Content-Type: multipart/alternative; boundary="00000000000047087a05cdae7d34"
--00000000000047087a05cdae7d34
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Probably because the header is being added later in a different sub-context=
.
That is, at the time apache sets the header for virtual host there is no
other header of the same name defined, so there is nothing to eliminate and
set instead, but then the path for the reverse proxy to tomcat is being
evaluated later.
I would suppose setting it in the specific location for the path that leads
to tomcat things would be different.
In any case try and see.
Regards.
El mi=C3=A9., 6 oct. 2021 12:09, Martin Knoblauch
escr=
ibi=C3=B3:
> Hi,
>
> sorry for asking this likely stupid question. This is with Apache HTTPD
> 2.4.48.
>
> I want to change the value of the X-Frame-Options response header from
> DENY to SAMEORIGIN. The header is apparently set by Tomcat 9.0.53.
>
> Naively, because the mod_header documentation says "The response header i=
s
> set, replacing any previous header with this name. The value may be a
> format string.", I added a single
>
> Header always set X-Frame-Options SAMEORIGIN
>
> to the VirtualHost section of the httpd configuration. To my surprise my
> browser (FF and Chrome) has two headers now, one with DENY, one with
> SAMEORIGIN. And falls back to DENY :-(
>
> When I add an unset before the set, it works
>
> Header unset X-Frame-Options
> Header always set X-Frame-Options SAMEORIGIN
>
> Is my understanding of the mod_header documentation wrong, or do I miss
> somethiong subtle?
>
> Cheers
> Martin
> --
> ------------------------------------------------------
> Martin Knoblauch
> email: k n o b i AT knobisoft DOT de
> www: http://www.knobisoft.de
>
--00000000000047087a05cdae7d34
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Probably because the header is being added later in =
a different sub-context.
That =
is, at the time apache sets the header for virtual host there is no other h=
eader of the same name defined, so there is nothing to eliminate and set in=
stead, but then the path for the reverse proxy to tomcat is being evaluated=
later.
I would suppose =
setting it in the specific location for the path that leads to tomcat thing=
s would be different.
In=
any case try and see.
R=
egards.
=
x #ccc solid;padding-left:1ex">Hi,
v>
=C2=A0sorry for asking this likely stupid question. This is with Apa=
che HTTPD 2.4.48.
I want to change the value of th=
e X-Frame-Options response header from DENY to SAMEORIGIN. The header is ap=
parently set by Tomcat 9.0.53.
Naively, because th=
e mod_header documentation says "The response header is set, replacing=
any previous header
with this name. The value may be a format string.", I a=
dded a single
=C2=A0=C2=A0=C2=A0 Header always set=
X-Frame-Options SAMEORIGIN
to the VirtualHost sec=
tion of the httpd configuration. To my surprise my browser (FF and Chrome) =
has two headers now, one with DENY, one with SAMEORIGIN. And falls back to =
DENY :-(
When I add an unset before the set, it wo=
rks
=C2=A0=C2=A0=C2=A0 Header unset X-Frame-Option=
s
=C2=A0=C2=A0=C2=A0 Header always set X-Frame-Options SAMEORIGIN=
Is my understanding of the mod_header documentati=
on wrong, or do I miss somethiong subtle?
Cheersdiv>
Martin
--
il_signature">
--------------------------------------------=
----------
Martin Knoblauch
email: k n o b i AT knobisoft DOT de
w=
ww:
er">http://www.knobisoft.de
--00000000000047087a05cdae7d34--
--===============0738476322==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Hangout mailing list
Hangout-at-nylxs.com
http://lists.mrbrklyn.com/mailman/listinfo/hangout
--===============0738476322==--
