Hi Reindl,
in particular: "X-Frame-Options" => "DENY"
why are you doing that on the webserver?
Because that's the best practice!
Have a look at this: https://cipherli.st
On 2014-08-23 02:50, Reindl Harald wrote:
Am 23.08.2014 um 04:17 schrieb ml@ruggedinbox.com:
Hi so after some testing, it looks like the lighttpd setting:
setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=63072000; includeSubDomains", "X-Frame-Options" => "DENY" )
in particular: "X-Frame-Options" => "DENY"
why are you doing that on the webserver?
was causing the issue.
There is some bug tracking about it and roundcube ( http://trac.roundcube.net/ticket/1487037 ) and it is also documented in the 'defaults.inc.php' file:
// X-Frame-Options HTTP header value sent to prevent from Clickjacking. // Possible values: sameorigin|deny. Set to false in order to disable sending them $config['x_frame_options'] = 'sameorigin';
anyway, could you please suggest the best setting of both roundcube and lighttpd ? (should lighttpd be set to 'sameorigin' or should roundcube be set to 'deny' ?)
just don't configure a webserver in a way it overrides applications and if you do so at least only with "sameorigin"