Hi Reindl,
in particular:
"X-Frame-Options" => "DENY"
why are you doing that on the webserver?
Because that's the best practice!
Have a look at this: https://cipherli.st
On 2014-08-23 02:50, Reindl Harald wrote:
Am 23.08.2014 um 04:17 schrieb [email protected]:
Hi so after some testing, it looks like the lighttpd setting:
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=63072000;
includeSubDomains",
"X-Frame-Options" => "DENY"
)
in particular:
"X-Frame-Options" => "DENY"
why are you doing that on the webserver?
was causing the issue.
There is some bug tracking about it and roundcube (
http://trac.roundcube.net/ticket/1487037 )
and it is also documented in the 'defaults.inc.php' file:
// X-Frame-Options HTTP header value sent to prevent from
Clickjacking.
// Possible values: sameorigin|deny. Set to false in order to disable
sending them
$config['x_frame_options'] = 'sameorigin';
anyway, could you please suggest the best setting of both roundcube
and lighttpd ?
(should lighttpd be set to 'sameorigin' or should roundcube be set to
'deny' ?)
just don't configure a webserver in a way it overrides applications
and if you do so at least only with "sameorigin"
_______________________________________________
Roundcube Users mailing list
[email protected]
http://lists.roundcube.net/mailman/listinfo/users
