FB Messenger webview X-Frame-Options: Deny ruining webview

About

Asked 18/1, 2018 at 12:36 Answered 19/1, 2018 at 3:58

Solved php webview facebook-messenger facebook-messenger-bot x-frame-options

I'm developing a Messenger application featuring wevbiews

It used to work fine on web but at some point it started showing this:

Refused to display 'https://www.messenger.com/t/EAPdevelopment?fb_iframe_origin=https%3A%2F%2Fwww.messenger.com' in a frame because it set 'X-Frame-Options' to 'deny'.

I have no idea what could go wrong, moreover, I've always sent this:

header('X-Frame-Options: ALLOW-FROM https://www.messenger.com/');
header('X-Frame-Options: ALLOW-FROM https://www.facebook.com/');

to server anyway.

How is is possible to resolve this issue?

Introduce answered 18/1, 2018 at 12:36 Comment(7)

Recently it started showing the same error for me too. – Freeboot 18/1, 2018 at 12:55

I'm having the same problem myself. What bugs me is that the following bot exhibit the same issue: messenger.com/t/MessengerTaskBot I suspect the issue to be on Facebook side. I found the following github ticket which describes the same issue (blank webview iframe) which might need reopening, but it doesn't mention the X-Frame-Options error message. github.com/fbsamples/messenger-bot-samples/issues/15 – Doorbell 18/1, 2018 at 16:25

Actually several people have this issue, probably Facebook messed up something. Here's an official bug report: developers.facebook.com/bugs/147147746075305 – Freeboot 18/1, 2018 at 19:21

Do you add those two lines in the php file that the iframe navigates to? – Root 22/3, 2018 at 19:10

@MarcoDufal, essentially, that's the only place you should actually add them. – Anabel 22/3, 2018 at 19:39

@АрсенГоян I currently don't have them and my pages display just fine.. I was having an initial bug as I had some incorrect javascript, but once fixed everything displays fine as in the webview from the mobile app... I wonder now if they are essential.. – Root 22/3, 2018 at 19:45

@MarcoDufal if it displays fine, you don't have to send the headers. The bug must have been resolved by making them optional or whatever. – Anabel 23/3, 2018 at 17:27

Actually, facebook website has this issue, on messenger app its working fine. So they have bug on their site which they have resolved and will push on production in some time.

As mentioned in the facebook developer forum https://developers.facebook.com/bugs/147147746075305/

Loblolly answered 19/1, 2018 at 3:58 Comment(4)

Creative answer based on my comment. – Freeboot 19/1, 2018 at 7:41

@BenceGedai According to my interaction with Facebook developers team this morning, they have checked the bug from their end and resolved it. They are going to push the change in Production and it will be reflected soon. I am enlightening the users about the situation and the steps taken by facebook regarding this, which is more elaborate than what you are saying in the 1 liner. – Loblolly 19/1, 2018 at 9:45

Yeah, it turned out they already fixed it. Thanks everyone for keeping up to date – Anabel 19/1, 2018 at 13:44

we are still facing this issue in android webview – Spearman 31/1, 2019 at 13:14

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags