Override HTTP header's default settings (X-FRAME-OPTIONS)

Asked 29/11, 2013 at 20:44 Answered 15/12, 2013 at 21:31

Solved laravel http-headers laravel-4 x-frame-options

I'm working with the dev version of Laravel (4.1.*) and there is a new default configuration that I don't want : X-Frame-Options: SAMEORIGIN

For the moment I disable it by deleting one line in Illuminate\Http\FrameGuard.php

I'm looking for a better solution. I've try in the filtre.php file :

App::after(function($request, $response) {
   $response->header('X-Frame-Options', 'ALLOW-ALL');
});

But it just adds the option (X-Frame-Options:ALLOW-ALL, SAMEORIGIN), whereas I need an override.

Jung answered 29/11, 2013 at 20:44 Comment(1)

Anyone arriving here using laravel 4.2 and wanting to limit X-Frame-Options header back to the 'old' behaviour (pre-4.2): edit app/filters.php and add the following line in the App::after() filter: $response->headers->set('X-Frame-Options', 'SAMEORIGIN', true); – Tetragon 14/8, 2015 at 12:47

Laravel doesn't provide any configuration to disable this functionality.

According to Taylor Otwell, the only way to bypass it is by adding the following line into the start file:

App::forgetMiddleware('Illuminate\Http\FrameGuard');

The dirty solution is to comment the guilty line:

$response->headers->set('X-Frame-Options', 'SAMEORIGIN', false);

Edit (Jan 29th 2014): new info from Taylor Otwell on GitHub about next Laravel's policy.

Removing this by default in 4.2. Should be in an after filter - will leave FrameGuard class so people can add the middleware manually if they want.

Jung answered 15/12, 2013 at 21:31 Comment(6)

Good to have it here also :) Here is detailed topic also: forumsarchive.laravel.io/viewtopic.php?pid=64869 – Pym 7/4, 2014 at 15:31

so is this App::forgetMiddleware('Illuminate\Http\FrameGuard'); still useful in 4.2 ? – Vertex 15/12, 2014 at 5:8

@ngakak I didn't test Laravel 4 yet, but as far as I understand Taylor Otwell's words, is that Laravel 4 will have no X-FRAME-OPTIONS value defined In default header anymore. Do you have a X-FRAME-OPTIONS problem? – Jung 19/12, 2014 at 15:7

Is there also a solution for laravel 5? – Jewess 27/4, 2015 at 15:26

Is there a solution is 5.3 as I am having this issue now and cant find any info on it besides the above. – Lagasse 20/1, 2017 at 19:16

Any idea to do it with php cURL? – Rasia 4/1, 2018 at 23:21

The third parameter of the header method should serve your needs.

Tamarah answered 29/11, 2013 at 23:12 Comment(1)

It should work except if the FrameGuard file is called at the end of the application, and it's the case. I found an issue request on Github about this problem. – Jung 30/11, 2013 at 10:25

Recommended topics

Hot tags