X-Frame-Options SAMEORIGIN blocking iframe on my domain

E

5

10

i'm using http://www.jacklmoore.com/colorbox to display the content of an url in a lightbox. after implementation, the colorbox did'nt showed anything.

Later, i noticed the following error in chrome logs:

Refused to display document because display forbidden by X-Frame-Options.

so after documenting i added the following line to the root .htaccess of the website :

Header always append X-Frame-Options SAMEORIGIN

to allow iframe embedding on my own domain.

But i still get the error, i'm newbie to x-frame, and i'm working on an existing application, so i thought the .htaccess solution would be nice, but can it be overrided by some code ? Notice that it's not in the server configuration.

Enyedy answered 29/8, 2012 at 16:48 Comment(0)

M

19

Try sending another X-Frame-Options header, add

<?php header('X-Frame-Options: GOFORIT'); ?>

to the top of your page. It should disable the SAMEORIGIN command.

Mitre answered 30/8, 2012 at 7:58 Comment(4)

i tested it without success, then i gave up and made my popin inline >.< But it's still weird, SAMEORIGIN should allow me to embed iframe in my domain. – Enyedy 30/8, 2012 at 11:5

After trying a whole bunch of other "fixes" to get Wordpress to render in an iFrame, this FINALLY was teh one that made it work for me! – Chrysanthemum 5/8, 2014 at 20:19

Hi, i try this but i dont have success, cau you tell me where i need put this in my wordpress site? thanks – Bashkir 3/10, 2016 at 11:1

A much more secure option is <?php header("X-Frame-Options: allow-from https://example.com/"); ?>, where https://example.com is the site you want to allow to display the page in an iframe. (Documentation) – Hardenberg 2/11, 2018 at 18:23

M

6

According to the moz dev pages. Here is the definition of the

SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself.

It mean that only if you are including some page from your site would be shown.
Let suppose

you have a website on http://foo.com and you want something to show in iframe from the http://foo.com/sec_page it would show up in iframe
but if you embed the same iframe(http://foo.com/sec_page) to load in http://bar.com then it would not display anything. As the origin would be changed.

You can read the full note here

Mincey answered 27/12, 2012 at 10:38 Comment(0)

N

2

You can remove the header from the response you get:

header_remove("X-Frame-Options");

Neologize answered 27/9, 2013 at 16:51 Comment(0)

L

2

I've added this in httpd.conf:

 Header unset X-Frame-Options

And it works.

Leacock answered 27/12, 2016 at 7:37 Comment(0)

L

0

Set XFrame Options to DENY or Sameorigin. Else it may help in crafting phishing attacks or Frame injections if your site is vulnerable to XSS attack.

Leavelle answered 4/2, 2014 at 12:43 Comment(0)

Recommended topics

Hot tags