X-Content/X-Frame problem with Owncloud 10.0.0 running CentOS 7 and PHP 7


#1

Hi there, excellent Owncloud masters!

So, I'm fairly new at this whole running an Owncloud server thing, and I'm having a few minor but irritating issues.

Issue:
The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.

The problem is that these settings are already correct. When I check the headers with, for example, keycdn.com, then I find that the server reports:
X-FRAME-OPTIONS: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block

Steps to reproduce

  1. Install CentOs 7
  2. Install PHP 7
  3. Install Owncloud 10
    4: Add all settings seemingly correctly.

Expected behaviour

No X-content errors should show up.

Actual behaviour

The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.
The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.

Server configuration

CentOS Linux release 7.3.1611 (Core)

Web server:
Apache 2.4.6

Database:
5.5.52-MariaDB

PHP version:
PHP 7.0.21

ownCloud version: (see ownCloud admin page)
10.0.0 (Minor issue: It seems impossible to update top 1.0.2 despite the admin panel complaining that it wants to be updated.)

Updated from an older ownCloud or fresh install:
Fresh install

Where did you install ownCloud from:
I used this repository: https://download.owncloud.org/download/repositories/stable/CentOS_7/repodata/repomd.xml.key

Signing status (ownCloud 9.0 and above):
Newbie status confirmed. I have no idea what this is or how to provide the answer :).

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
File simply says: No erros have been found
``

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder

{
    "system": {
        "instanceid": "oc1i7yju93iq",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "filer.friab.se"
        ],
        "datadirectory": "\/var\/www\/html\/owncloud\/data",
        "overwrite.cli.url": "https:\/\/notreal.domain\/owncloud",
        "dbtype": "mysql",
        "version": "10.0.0.12",
        "dbname": "owncloud",
        "dbhost": "localhost",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "maintenance": false,
        "updater.secret": "***REMOVED SENSITIVE VALUE***",
        "filelocking.enabled": true,
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "\/var\/run\/redis\/redis.sock",
            "port": 0,
            "timeout": 0
        }
    }
}

List of activated apps:
Enabled:
- activity: 2.3.3
- comments: 0.3.0
- configreport: 0.1.1
- dav: 0.2.8
- federatedfilesharing: 0.3.0
- federation: 0.1.0
- files: 1.5.1
- files_external: 0.7.0
- files_pdfviewer: 0.8.1
- files_sharing: 0.10.0
- files_texteditor: 2.1
- files_trashbin: 0.9.0
- files_versions: 1.3.0
- files_videoplayer: 0.9.8
- firstrunwizard: 1.1
- gallery: 15.0.0
- market: 0.1.0
- notifications: 0.3.0
- provisioning_api: 0.5.0
- systemtags: 0.3.0
- templateeditor: 0.1
- updatenotification: 0.2.1
Disabled:
- encryption
- example-theme
- external
- files_antivirus
- user_external

**Are you using external storage, if yes which one:** local/smb/sftp/...
No

**Are you using encryption:** yes/no
No

**Are you using an external user-backend, if yes which one:** LDAP/ActiveDirectory/Webdav/...
No


### Client configuration
**Browser:**
Firefox 54.0.1

**Operating system:**
Windows Server 2016 and Windows 10

### Logs

#### Web server error log

Insert your webserver log here

#### ownCloud log (data/owncloud.log)

{"reqId":"WXns6nAACIdLMFKLHdNwCgAAAAs","level":3,"time":"2017-07-27T13:38:50+00:00","remoteAddr":"I","user":"admin","app":"PHP","method":"GET","url":"\/owncloud\/ocs\/v2.php\/apps\/notifications\/api\/v1\/notifications?format=json","message":"Redis::connect(): connect() failed: No such file or directory at \/var\/www\/html\/owncloud\/lib\/private\/RedisFactory.php#83"}
{"reqId":"WXns6nAACIdLMFKLHdNwCgAAAAs","level":3,"time":"2017-07-27T13:38:50+00:00","remoteAddr":"IP","user":"admin","app":"PHP","method":"GET","url":"\/owncloud\/ocs\/v2.php\/apps\/notifications\/api\/v1\/notifications?format=json","message":"You are using a fallback implementation of the intl extension. Installing the native one is highly recommended instead. at \/var\/www\/html\/owncloud\/lib\/composer\/patchwork\/utf8\/src\/Patchwork\/Utf8\/Bootup\/intl.php#18"}
{"reqId":"WXns7CW4vqvy1iukxpjd0AAAAAA","level":3,"time":"2017-07-27T13:38:52+00:00","remoteAddr":"IP","user":"admin","app":"PHP","method":"GET","url":"\/owncloud\/ocs\/v2.php\/apps\/notifications\/api\/v1\/notifications?format=json","message":"Redis::connect(): connect() failed: No such file or directory at \/var\/www\/html\/owncloud\/lib\/private\/RedisFactory.php#83"}
{"reqId":"WXns7CW4vqvy1iukxpjd0AAAAAA","level":3,"time":"2017-07-27T13:38:53+00:00","remoteAddr":"IP4","user":"admin","app":"PHP","method":"GET","url":"\/owncloud\/ocs\/v2.php\/apps\/notifications\/api\/v1\/notifications?format=json","message":"You are using a fallback implementation of the intl extension. Installing the native one is highly recommended instead. at \/var\/www\/html\/owncloud\/lib\/composer\/patchwork\/utf8\/src\/Patchwork\/Utf8\/Bootup\/intl.php#18"}

#### Browser log

If you think these are needed, then I'd be happy to add them as well.
`


#2

Hi, did you have a look at this github issue? It handles a similar problem: