Login/Register
Can't access WordPress Dashboard in an iframe
Asked Answered
Solved wordpressiframex-frame-options
M

2

5

I have an iframe on http://foo.example.com which targets to http://bar.example.com.

On http://bar.example.com is a WordPress installation. I'm able to view the page and click on all pages and post but when I try to go to the backend I get

Refused to display document because display forbidden by X-Frame-Options.

and the request is aborted.

According to this question I aded this header which gets send successfully:

header('X-Frame-Options: GOFORIT');

What else can limit the access to just the dashboard (and the login screen)?

I have access to both subdomains and can use a htaccess as well

Manganite answered 15/1, 2013 at 13:13 Comment(3)
Take a look here: wordpress.stackexchange.com/q/81607/12615Corry
Yep, exactly! Can you provide a answer to accept or should this question get closed cause it's obviously a duplicate?Manganite
Different sites, not a duplicate. I'll make a summary here.Corry
C
6

According to this, in WordPress Answers, Receiving “This content cannot be displayed in a frame” error on login page, WordPress sends a special header

X-Frame-Options: SAMEORIGIN

that prevents clickjacking. And hence, embedding the admin as an iframe.

It is possible to eliminate this header removing a couple of actions from wp-includes/default-filters.php, but at your own risk.

Someone might register a domain with a very similar name, embed your login as background iframe and log the login credentials when you try to type them in.

Please, read the full Q&A at WPSE.

Corry answered 15/1, 2013 at 20:51 Comment(0)
S
9

Here is a better solution that won't break when you update Wordpress:

remove_action( 'login_init', 'send_frame_options_header' );
remove_action( 'admin_init', 'send_frame_options_header' );

Here's another solution if you're using Apache. Throw this in your .htaccess:

<IfModule mod_headers.c>
    Header unset X-Frame-Options
    Header always unset X-Frame-Options
</IfModule>
Semele answered 20/4, 2015 at 6:19 Comment(2)
Perfect solution!Gerhart
Thanks for your kind words. I forgot to mention people need to throw the remove_action calls in functions.phpSemele
C
6

According to this, in WordPress Answers, Receiving “This content cannot be displayed in a frame” error on login page, WordPress sends a special header

X-Frame-Options: SAMEORIGIN

that prevents clickjacking. And hence, embedding the admin as an iframe.

It is possible to eliminate this header removing a couple of actions from wp-includes/default-filters.php, but at your own risk.

Someone might register a domain with a very similar name, embed your login as background iframe and log the login credentials when you try to type them in.

Please, read the full Q&A at WPSE.

Corry answered 15/1, 2013 at 20:51 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.