@GermanKiwi opened this Issue on February 21st 2017

This issue relates to the discussion at https://github.com/piwik/piwik/issues/10167.

BACKGROUND:

I'm running WordPress 4.7.1 with the WP-Piwik plugin and a self-hosted Piwik installation on the same server.

While I was running Piwik 3.0.1 previously, I noticed that my website - not the Piwik page but the actual WordPress website - was getting an empty X-Frame-Options header (ie. with no value at all), whenever I configured the WP-Piwik plugin to use Piwik Mode: "Self-hosted (PHP API)".

This was in addition to the X-Frame-Options header that I had defined in my .htaccess file, meaning that the website was generating two X-Frame-Options headers: one empty (from Piwik) and the other with a valid value (from .htaccess).

In addition, I also saw that I was getting an empty "Pragma" header and an empty "Expires" header as well, when using PHP API.

However, if I changed the Piwik Mode to "Self-hosted (HTTP API)", then the empty X-Frame-Options header was no longer generated - and nor were the empty Pragma and Expires headers - and I was left with just the legitimate header from .htaccess.

TODAY:

Today I installed Piwik 3.0.2-b5 as requested in Issue https://github.com/piwik/piwik/issues/10167. My testing shows that the empty X-Frame-Options header no longer shows up at all, regardless of what the Piwik Mode is set to. This is good news!

However, I still have the empty Pragma and Expires showing up when Piwik Mode is set to PHP API. I have no idea why but I'd like to fix it. In addition, an extra Cache-Control header is also generated, with a value of "must-revalidate". This clashes with the Cache-Control header I have already defined in my .htaccess.

Here are the headers from my site, as generated by http://testuri.org:

Piwik Mode set to "Self-hosted (HTTP API)"

Status: HTTP/1.1 200 OK
Date: Tue, 21 Feb 2017 20:49:45 GMT
Server: Apache/2.4.20
Link: ; rel="https://api.w.org/", ; rel=shortlink
Set-Cookie: wfvt_-1772889948=58aca7eaaa9f0; expires=Tue, 21-Feb-2017 21:19:46 GMT; Max-Age=1800; path=/; HttpOnly
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: sameorigin
Content-Security-Policy: default-src https: data: 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.fontawesome.com
X-Permitted-Cross-Domain-Policies: none
Strict-Transport-Security: max-age=31536000; includeSubdomains
Referrer-Policy: no-referrer-when-downgrade
Connection: keep-alive, close
Cache-Control: max-age=86400, private
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

Piwik Mode set to "Self-hosted (PHP API)"

Status: HTTP/1.1 200 OK
Date: Tue, 21 Feb 2017 20:54:12 GMT
Server: Apache/2.4.20
Link: ; rel="https://api.w.org/", ; rel=shortlink
Pragma: 
Expires: 
Cache-Control: must-revalidate
Set-Cookie: wfvt_-1772889948=58aca8f57ab44; expires=Tue, 21-Feb-2017 21:24:13 GMT; Max-Age=1800; path=/; HttpOnly
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: sameorigin
Content-Security-Policy: default-src https: data: 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.fontawesome.com
X-Permitted-Cross-Domain-Policies: none
Strict-Transport-Security: max-age=31536000; includeSubdomains
Referrer-Policy: no-referrer-when-downgrade
Connection: keep-alive, close
Cache-Control: max-age=86400, private
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8

As you can see, the only difference between the two is the addition of the empty Pragma and Expires header, and the additional Cache-Control header, when using PHP API. All of the other security headers here are coming from my .htaccess.

Any ideas?

@mattab commented on March 21st 2017 Owner

Sorry no idea about this. I would maybe ask in the WP-Piwik forum instead since it seems to be a request from Wordpress itself

This Issue was closed on March 21st 2017
Powered by GitHub Issue Mirror