fatfree on nginx: duplicate header X-XSS-Protection

783 views
Skip to first unread message

Alexandre Plennevaux

unread,
Jan 28, 2018, 4:42:33 AM1/28/18
to Fat-Free Framework
I'm trying to track down this error coming from the Chrome console, that occurred from switching from an Apache to an nginx server, using the same codebase .


Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 14. The default protections will be applied.

According to this SO thread, nginx might be sending once the header, and fatfree may be sending it a second time. Chrome then merges the two, producing the error.

I looked through the source code for header() calls, "XXS", "X-Content" but did not find anything suspicious. I'm at loss of idea. 

Thank you !

Alexandre.

Alexandre Plennevaux

unread,
Jan 28, 2018, 4:47:09 AM1/28/18
to Fat-Free Framework
update: 

I did find this: 


 header('X-Frame-Options: '.$this->hive['XFRAME']);
 header('X-XSS-Protection: 1; mode=block');
 header('X-Content-Type-Options: nosniff');

I'll look how to control the headers sent by fatfree.

Alexandre Plennevaux

unread,
Jan 28, 2018, 7:37:34 AM1/28/18
to f3-fra...@googlegroups.com
Mmmh, not that easy.

$f3->hive['XFRAME'] = '';
$f3->set('XFRAME', '');
$f3->hive['HEADERS']['X-XSS-Protection'] = '';
header_remove("X-XSS-Protection");
header_remove("X-Content-Type-Options");
$f3->run();


still shows this:


I figure It would make more sense to add it in the callback of each route, but I would like this to run for each route, so in order to not repeat I need to catch the result of run() when finished preparing the response, and remove the headers right before the server starts actually sending the response.

ved

unread,
Jan 28, 2018, 7:59:36 AM1/28/18
to Fat-Free Framework
If you're using the most complete version of nginx (nginx-extras on Debian) then you can place the following on your nginx config:

more_clear_headers 'X-XSS-Protection';

This should remove the header before sending the output to the browser.

xfra35

unread,
Jan 29, 2018, 5:20:18 PM1/29/18
to Fat-Free Framework
Since the header function is called with $replace parameter set to TRUE, I would expect a single header to be sent.. unless nginx sets the headers after F3, in which case you'd need to clear the headers at nginx level (like ved suggested) or at PHP level (inside your controller rather than before $f3->run).

Emmanuel Simond

unread,
Mar 15, 2018, 9:30:31 AM3/15/18
to Fat-Free Framework
hi, interesting what you get, 

so more_clear_headers 'X-XSS-Protection' was your solution  ?

or
you had to clear the headers at nginx level (like ved suggested) or 
at PHP level before $f3->run ??
Reply all
Reply to author
Forward
0 new messages