Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-58036

Check for X-Frame-Options not to have "DENY" value

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Won't Do
    • Icon: Minor Minor
    • None
    • 3.2, 3.3.3, 3.4, Future Dev
    • Filepicker
    • MOODLE_32_STABLE, MOODLE_33_STABLE, MOODLE_34_STABLE

      Ahead of a system migration (to Debian 9 'stretch') my system adminstrator prepared a webserver for me to use with Moodle.

      After a certain time of usage, we noticed fileupload via 'classical' filepicker and 'edit HTML' in TinyMCE editor did not work due to "Load denied by X-Frame-Options: …/repository/repository_ajax.php?action=upload does not permit framing." errors.

      The httpd setting for X-Frame-Options was the cause.

      It would be nice if in admin/environment.php or upon installation/upgrade there were a check looking after this setting.

      Be aware of this httpd setting. It should at least state
      Header always append X-Frame-Options "SAMEORIGIN"
      instead of
      Header always append X-Frame-Options "DENY"

            Unassigned Unassigned
            lucaboesch Luca Bösch
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.