Setting referrer on Chrome using this PHP header will set all page referrers to none/no-referrer: "Referrer-Policy" => "no-referrer"
I have a problem to set the same Referrer policy to "no-referrer" on Firefox, because seems the same PHP header doesn't work.
The solution must be in PHP, I cannot accept solution through META tags or JS.
( "Referrer-Policy" => "no-referrer" )
This should set referrer to none, empty on Firefox, but it doesn't.
On Chrome it works without any problem.
( "Referrer-Policy" => "no-referrer" )
This is not a valid PHP HTML Header.
The PHP header() functions contain a text string of "<Header>:<value>" format so;
header("Referrer-Policy: no-referrer");
This will set the header correctly, however depending on your server setup this may be ommitted if the same header has already been set elsewhere, such as in httpd.conf on Apache, or if the Header has been set elsewhere with the always keywords, such as in .htaccess on Apache.
The question is not actual for its author, but I`ll add an answer for the newest visitors:
the "Referrer-Policy" header did not work via PHP (modern virtual hosting), but it works fine if added to .htaccess file.
The syntax is:
<IfModule mod_headers.c>
Header set Referrer-Policy "same-origin"
</IfModule>
Related
I have an awful situation
A website with Apache2+Php5.6, one of the pages of the site has a <iframe> tag but it refuses to load because X-Frame-Options was set in more than one php file inside the web archives with differentes values (DENY and SAMEORIGIN) falling to DENY.
Refused to display 'webpage' in a frame because it set multiple 'X-Frame-Options' headers with conflicting values ('DENY, SAMEORIGIN'). Falling back to 'deny'.
I try to set X-Frame-Option in security.conf or with .htaccess but when the page use that particular file, it overrides the value and finish into the same situation.
Refused to display 'webpage' in a frame because it set multiple 'X-Frame-Options' headers with conflicting values ('SAMEORIGIN,DENY, SAMEORIGIN'). Falling back to 'deny'.
My questions
¿Is there a way to override all response headers of my page?, or
¿Is it posible to find in which php file X-Frame-Option was set?
I know that is posible to disable X-Frame-Option but i don't want that if there is any other posible solution or workaround.
Thanks in advance
UPDATE
It was a nginx server working as reverse proxy in top of my configuration with that property settet to DENY, hoppefully i manage to reach that configuration and now it work perfectly
You can check the response headers in the Network tab in developer tools to check which responses come with which X-Frame-Options value.
You can override X-Frame-Options in modern browsers by specifying Content-Security-Policy frame-ancestors directive in a response header. Use Content-Security-Policy: frame-ancestors 'self';
I am trying to login with ajax to an API and I get this error:
XMLHttpRequest cannot load. The 'Access-Control-Allow-Origin' header
has a value that is not equal to the supplied origin. Origin
'http://localhost' is therefore not allowed access.
I read all about this error, all over the internet, and I've tried all the solutions I could find online. I modified the .htaccess and apache httpd configuration file according to the CORS instructions here: http://enable-cors.org/server_apache.html
Access-Control-Allow-Origin: *
Nothing seems to be working. I'd really appreciate if you guys can help me out with this. Thank you!
You have to set Access-Control-Allow-Origin header to * or specified value http://localhost
You can do this through:
1- Your code
2- .htaccess file
3- Server config (restart web server required)
Here is the link that show how to do it on apache
http://access-control-allow-origin-guide.com/enable-cors-on-apache-linux/
As added browser security, unless the API allows cross-browser origins in the the return responses header there is no way around this.
The browsers are blocking it, there is a plugin to allow for chrome but it is not realistic to depend on browser plugin to allow end user requests,
Try and reach out to the API provider and see if they can look into updating the header in the response.
It is a CORS issue:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
i use htaccess file for load JSON data in different hosting, and its works but
it have to put inside the public html root of our web hosting for example
uploading .htaccess into --> (https://freehostingsomewhere.com/)
then inside .htaccess
<FilesMatch "\.(ttf|otf|eot|woff|jpg|png|jpeg|gif|js|json|html|css)$">
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "http://localhost"
</IfModule>
</FilesMatch>
in here i use http://localhost to development and it works,
maybe if i have another web host just change it into that url, i will try it later (it can, i already try it) :p
this is just for more clear explanation
cheers :p
Are your requests using either cookies or authorization by any chance?
Check on your ajax call on the client side if you're configuring it to be done "with credentials"
.withCredentials = true;
If yes, the wildcard(*) will not work and you'll need to provide the exact host as the value for Access-Control-Allow-Origin.
Refer to this stack overflow answer or Mozilla Documentation on CORS
Having issues with iframes (have no control as these come with the system I have) and the cross-site stuff.
Have added the usual X-Frame-Options to my .htaccess file to include the directive to allow it to allow the iframe from this other system that wants to iframe the site. No problem at first.
<IfModule mod_headers.c>
Header always set X-Frame-Options "ALLOW-FROM https://otherhost"
</IfModule>
And I can confirm that the above is taking effect as I have messed with the header content and it is reflected.
For some reason, I keep seeing the header X-Frame-Options ALLOW-FROM https://otherhost, SAMEORIGIN with this additional SAMEORIGIN, which of course is not valid and fails within the browsers, ultimately resulting in the browser falling back to DENY, which then means the iframe is not shown.
The apache2 specs states for the set option, that;
The response header is set, replacing any previous header with this name. The value may be a format string.
Yet I do not see it replacing the string. If I curl the login page, it presents correctly, if I inspect it in the chrome/safari inspector, it shows the additional , SAMEORIGIN and then complains that it's not valid.
I've even tried using the unset option for the Header directive, but it still keeps producing this header.
Is the Header directive post or pre output? as this is driving me nuts and wasting so much time for a simple thing.
I am working on a website that is not on my own server, I do not have much (any) access to the server settings outside of the website SFTP.
The server previously ran PHP 5.21 and I used
header("X-Powered-By:");
To overwrite and remove the X-Powered-By header. This worked, but I have found that since the server was updated to PHP 5.6 that this no longer works, and the headers produced is:
X-Powered-By:
X-Powered-By: PleskLin
I didn't expect multiple lines of the same header, so I tried adding code to the page
header_remove("X-powered-by");
but the PleskLin header remains. Obviously the header is being added after PHP is processing the page, so bearing that in mind and it's a server I am really not familiar with.
Also running
header_remove();
Does not remove the X-Powered-By header but does remove other PHP set headers.
Is there a way I can remove this header within PHP?
How can I remove this header on the server, if it can't be removed by PHP (I can email the server owner and ask them to change a setting but they're not very tech' savvy in my few previous experiences with them).
I have found that setting header_remove in the PHP and (strangely) also adding an .htaccess with the following does remove all X-Powered-By headers:
<IfModule mod_headers.c>
Header unset X-Powered-By
</IfModule>
To explain:
Original header given out is :
x-Powered By: Plesklin
If I simply added the .htaccess removal code, the header became
X-Powered-By: PHP 5.6.1
but then combined with the on-page header_remove('X-Powered-By') this cleared all values for that particular header.
The only way you can do this is to ask the host to set expose_php to off in the php.ini file for you.
I'm maintaining a web site for a non-profit organisation. I'm not the one who designed this web site, and I don't know the person who did it.
That said, I have an issue with IE9. I will eventually try to correct it, but meanhile just adding the X-UA-Compatible header so IE9 turns to IE8 mode would work just fine.
In an asp.net web site, I would add it in the web.config with the <customHeaders> element (with IIS7).
Is there's a way to send this header for all file in a php web site, without editing all files?
Apache MOD_HEADERS, add the following to your root .htaccess file
<FilesMatch "\.(php|cgi|pl|htm)$">
Header set X-UA-Compatible IE=EmulateIE8
</FilesMatch>
This will set that header in the http header of all php, html, perl and cgi files, but I have had very bad experiences with the x-ua header, and found that it doesn't always work.
auto_prepend_file and header(), or configure it in your web server with e.g. Header.
If you're using some kind of templating engine, you could just add <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" /> to the HEAD section of your template(s).
Otherwise, if you're including a single PHP file everywhere, you could add a header() call there (as long as it's before you output any content).