From c3157a0be59931626720547bd0c4280929c8d9ae Mon Sep 17 00:00:00 2001
From: dvdgsng <dvdgsng@users.noreply.github.com>
Date: Wed, 20 Nov 2019 15:58:57 +0100
Subject: [PATCH] Removed `X-Frame-Options: SAMEORIGIN` header

Some headers don't need to be set in nginx anymore, since they are hardcoded into Nextcloud. This causes problems with the header `X-Frame-Options: SAMEORIGIN`, which should not be set twice.

See:
* https://docs.nextcloud.com/server/17/admin_manual/installation/harden_server.html#serve-security-related-headers-by-the-web-server
* https://docs.nextcloud.com/server/12/admin_manual/release_notes.html#updates-to-nginx-configuration
* https://github.com/nextcloud/server/issues/4764
* https://blog.qualys.com/securitylabs/2015/10/20/clickjacking-a-common-implementation-mistake-that-can-put-your-websites-in-danger
---
 admin_manual/installation/nginx.rst | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/admin_manual/installation/nginx.rst b/admin_manual/installation/nginx.rst
index c80549cb595..571ed303056 100644
--- a/admin_manual/installation/nginx.rst
+++ b/admin_manual/installation/nginx.rst
@@ -69,7 +69,6 @@ webroot of your nginx installation. In this example it is
       add_header Referrer-Policy "no-referrer" always;
       add_header X-Content-Type-Options "nosniff" always;
       add_header X-Download-Options "noopen" always;
-      add_header X-Frame-Options "SAMEORIGIN" always;
       add_header X-Permitted-Cross-Domain-Policies "none" always;
       add_header X-Robots-Tag "none" always;
       add_header X-XSS-Protection "1; mode=block" always;
@@ -170,7 +169,6 @@ webroot of your nginx installation. In this example it is
           add_header Referrer-Policy "no-referrer" always;
           add_header X-Content-Type-Options "nosniff" always;
           add_header X-Download-Options "noopen" always;
-          add_header X-Frame-Options "SAMEORIGIN" always;
           add_header X-Permitted-Cross-Domain-Policies "none" always;
           add_header X-Robots-Tag "none" always;
           add_header X-XSS-Protection "1; mode=block" always;
@@ -231,7 +229,6 @@ your nginx installation.
       add_header Referrer-Policy "no-referrer" always;
       add_header X-Content-Type-Options "nosniff" always;
       add_header X-Download-Options "noopen" always;
-      add_header X-Frame-Options "SAMEORIGIN" always;
       add_header X-Permitted-Cross-Domain-Policies "none" always;
       add_header X-Robots-Tag "none" always;
       add_header X-XSS-Protection "1; mode=block" always;
@@ -336,7 +333,6 @@ your nginx installation.
               add_header Referrer-Policy "no-referrer" always;
               add_header X-Content-Type-Options "nosniff" always;
               add_header X-Download-Options "noopen" always;
-              add_header X-Frame-Options "SAMEORIGIN" always;
               add_header X-Permitted-Cross-Domain-Policies "none" always;
               add_header X-Robots-Tag "none" always;
               add_header X-XSS-Protection "1; mode=block" always;