Nginx security setting issue with " view details" of plugins

[alexlii1971]

Hello @VirtuBox

I got an issue as below:

On subsite, when I click “view details” of installed plugins , it just show:”myrootdomain.com refused to connect, please check the screenshot:http://prntscr.com/m89wo1

That means I can not view details of plugins on a subsite.

But, I am sure my account is supper administrator with the capibility of network plugin management as the screenshot: http://prntscr.com/m89vh5

Here is the setting in nginx.conf:

    ##Common headers for security
    more_set_headers "X-Frame-Options : SAMEORIGIN";
    more_set_headers "X-Xss-Protection : 1; mode=block";
    more_set_headers "X-Content-Type-Options : nosniff";
    more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
    

I tried to comment both "more_set_headers "X-Frame-Options : SAMEORIGIN";
" and "more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";"

but the issue is still there.

I read an article at https://enable-cors.org/server_nginx.html

but it seems quite different, what should I do to enable "view details" on subsite please?

Thanks so much.

[VirtuBox]

Hello, it's the header X-Frame-Options the issue. Have you reload Nginx after commenting the header?

[alexlii1971]

Hello @VirtuBox ,

Yes, I cleaned all cache and restart nginx by:

root@101:~# ee clean --all
root@101:~# service nginx restart

root@101:~# sudo grep -R SAMEORIGIN /etc/nginx/

there is only one setting of SAMEORIGIN in nginx.conf

In this situation, I found there are actually two issues:

1.# sometimes, it will show "view details", but sometimes, it will show " Visit plugin site"
2# the issue still show header X-Frame-Options /SAMEORIGIN

So, is there any other place related to X-Frame-Options setting please?

[VirtuBox]

No there is no other configuration containing this directive. Try to replace it with X-Frame-Options: ALLOWALL

[alexlii1971]

Hi @VirtuBox ,

Yes, it will show the interface of plugins description content, and there will be a security hint:

http://prntscr.com/ox3twh

any suggestion on this situation please?

[VirtuBox]

Hello @alexlii1971,

I have no idea why there are insecure requests performed by this plugin.
You will probably get more information by contacting the developer of this plugin, because it doesn't seems to be related to Nginx security headers.