X-Frame-Options warning in NC17beta2

[nursoda]

After upgrading from NC 16 to NC 17 beta2 settings/admin/overview urges me to set the X-Frame-Options header to SAMEORIGIN in the WEBSERVER? config. No explanation or link is given, docs/admin handbook says nothing. Here is what I see:

Der „X-Frame-Options“-HTTP-Header ist nicht so konfiguriert, dass er „SAMEORIGIN“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.

So I added it to my vhost config and double checked: It's now twice in the headers, and even then the warning is displayed, so is this an update issue or a regression (see #8207)?

Upon kesselb's request, I use the template to provide information. I omitted irrelevant entries:

Steps to reproduce

Install/Update Nextcloud to 17beta2, have it installed in a subdirectory (here: /cloud), so there are OTHER paths served. Check HTTP headers for URLs inside /cloud and outside /cloud.

Expected behaviour

X-Frame-Options header should be set to SAMEORIGIN by Nexcloud. That IS the case, so all fine for URLs inside /cloud. But no warning should be issued IMHO.
If that warning aims to nudge admins to set the header globally (which is fine also), then if the header is already set globally, it should not be set TWICE.

Actual behaviour

Although X-Frame-Options header IS set to SAMEORIGIN in the server config a warning is issued and URLs within /cloud are served with the twi identical X-Frame-Options header lines.

Server configuration

Operating system: debian 8 'jessie', current
Web server: Apache 2.4.10-10+deb8u15
Database: mySQL 5.5.62-0+deb8u1
PHP version: PHP 7.3.8-1+0-20190807.43+debian8-1.gbp7731bf via libapache2-mod-php7.3
Nextcloud version: 17beta2 (17.0.0.4)
Updated from an older Nextcloud/ownCloud or fresh install: updated from 16.0.4
Where did you install Nextcloud from: Updater app
Signing status: No errors have been found.
Nextcloud configuration: (removed irrelevant parts)

{ "system": { "trusted_domains": [ "mydomain.com" ], "overwrite.cli.url": "https:\/\/mydomain.com\/cloud", "dbtype": "mysql", "version": "17.0.0.4", "logtimezone": "Europe\/Berlin", "installed": true, "filelocking.enabled": "true", "maintenance": false, "loglevel": 2, "theme": "", "updater.release.channel": "beta", } }

[kesselb]

Would you mind to add some basic information about your setup? Apache or Nginx version, how is PHP connected to the webserver, etc...

[kesselb]

Mind to add this information to your first post? Please also add the exact apache 2.4.x version (sometimes things are changed with minor versions). Its much easier to triage an issue with the issue template.

[kesselb]

Would you mind to share the output of

curl -I https://yourcloud.com/index.php/login

[nursoda]

HTTP/1.1 200 OK Date: Wed, 25 Sep 2019 08:26:04 GMT Server: Apache/2.4.10 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Referrer-Policy: no-referrer X-Download-Options: noopen X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: none X-XSS-Protection: 1; mode=block Set-Cookie: oclnu97rv47u=b9jmuu8va3j71fcqg6oqdqecm0; path=/cloud; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Set-Cookie: oc_sessionPassphrase=opjhda07Gyrf1gTO5TArSHIMt68ggrRckcSaru2jMlfhB3nTewafZzK4E3VyKav2%2Faz2apLsUR5jQIvmZOyxK1w1rU5f5N4qL%2BujFKC%2BiUZNERtp5CexNnak1MkeMaj0; path=/cloud; secure; HttpOnly Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self' stun.nextcloud.com:443;media-src 'self';frame-src data:;child-src 'self';frame-ancestors 'self';worker-src 'self' blob:;form-action 'self' Set-Cookie: nc_sameSiteCookielax=true; path=/cloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax Set-Cookie: nc_sameSiteCookiestrict=true; path=/cloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict Feature-Policy: autoplay 'self';camera 'self';fullscreen 'self';geolocation 'none';microphone 'self';payment 'none' Content-Length: 6467 X-Frame-Options: SAMEORIGIN Content-Type: text/html; charset=UTF-8
I'm setting up a new server, so the culprit server will be offline in the next days.

[kesselb]

OK. I suspect that the heartbeat request is sent to the wrong url. Could you visit settings/admin/overview, open the development tools (e.g https://developers.google.com/web/tools/chrome-devtools/), go to network tab and reload the current page?

If the request is going to yourdomin.com/heartbeat (without the subdirectory) please try overwritewebroot.

[nursoda]

Seems to be sent to the correct URL:

[kesselb]

OK. The behaviour changed from 16.04 to 17. Please remove the option from your webserver configuration.

[nursoda]

Thanks. Installed NC17 on Arch/NGINX, no issues/warnings there. Security setting are in NGINGX site config though, as proposed in https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html#nextcloud-in-the-webroot-of-nginx