Safari - Conflicting Multiple 'X-Frame-Options'

KieranEves · July 26, 2017, 8:26pm

Hello,

Having an issue with the following error when accessing the WP customiser:

[Error] Multiple ‘X-Frame-Options’ headers with conflicting values (‘ALLOW-FROM https://domain.com/wp/wp-admin/customize.php, SAMEORIGIN’) encountered when loading ‘https://domain.com/?customize_changeset_uuid=5e7f9df3-6968-4082-902f-165d24188426&customize_theme=GreenstoneStarling%2Fresources%2Fviews&customize_messenger_channel=preview-0’. Falling back to ‘DENY’.

[Error] Refused to display ‘https://domain.com/?customize_changeset_uuid=5e7f9df3-6968-4082-902f-165d24188426&customize_theme=GreenstoneStarling%2Fresources%2Fviews&customize_messenger_channel=preview-0’ in a frame because it set ‘X-Frame-Options’ to ‘ALLOW-FROM https://domain.com/wp/wp-admin/customize.php, SAMEORIGIN’.

Seems to only be an issue in Safari. Any way to fix this?

Using the latest Trellis, Bedrock and Sage 9. Deployed to Digital Ocean. Problem occurs on both localhost and the DO server.

swalkinshaw · July 28, 2017, 2:43pm

What Safari version?

KieranEves · July 28, 2017, 2:57pm

Latest I believe: Version 10.1.1 (12603.2.4)

swalkinshaw · July 28, 2017, 3:13pm

Trellis only sets X-Frame-Options: SAMEORIGIN. Seems like Safari is complaining about that in combination with ALLOW-FROM.

Maybe your site, WP, or a plugin is adding ALLOW-FROM?

KieranEves · July 28, 2017, 3:24pm

It’s a standard out of the box brand new deployment with no theme/plugins so can only be settings from what Trellis or WP its self might set as default. Can’t say I’ve ever come across WP itself adding x-frame-options.

Doing a search of the entire project folder for X-Frame-Options: returns nothing.

Safari has this in the headers being sent: X-Frame-Options SAMEORIGIN, SAMEORIGIN

Chrome only has the one.

If I edit out the line include h5bp/directive-only/extra-security.conf; from my sites Nginx conf then it works fine in safari and is still getting the same origin being set in the headers so it must be being set somewhere else in Nginx as well as the included extra security file.

Update:

Only other place I can find it being set is by WordPress its self in functions.php.

swalkinshaw · July 29, 2017, 1:41am

Found this: https://core.trac.wordpress.org/ticket/40020

Exact same behaviour?

KieranEves · July 29, 2017, 9:27am

Exactly the same

Replying to endortrails:
NGINX with a single add_header X-Frame-Options SAMEORIGIN; set in configs.
So if you remove this Nginx rule, the Customizer loads as expected in Safari?
The resolution here may be that the Nginx config should be removed in favor of adding the X-Frame-Options header via PHP in WordPress only.

The above suggestion does fix it but again removes other things by commenting out that file that I’d rather have.