Laravel refusing to display in iFrame as "'X-Frame-Options' to 'SAMEORIGIN'."

Asked 20/1, 2017 at 19:36 Answered 13/6, 2017 at 17:26

Solved php laravel iframe laravel-5 x-frame-options

So I have built a form in Laravel and am hosting externally but I want to display this within a HTML page but am having issues with the X-Frame-Options.

The exact error message is:

Refused to display 'url' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

I have seen on previous StackOverflow answers that this is due to FrameGuard Middleware but this has since been removed and the issue line of code is not in that file.

Laravel Version 5.3.

I have also tried to set the X-Frame-Options in the Nginx config file using the flooring with no result:

sed -i 's/http\ {/http\ {\nadd_header X-Frame-Options SAMEORIGIN, false;\n\n/' /etc/nginx/nginx.conf

This error is occurring in multiple browsers, tested: Chrome & Safari

Hoag answered 20/1, 2017 at 19:36 Comment(0)

Set your header on the response from the frame to

X-Frame-Options: ALLOW-FROM https://example.com/

where example.com is the domain requesting the form.

You could use middleware in laravel to do this.

Generate a new middleware.

php artisan make:middleware FrameHeadersMiddleware

then in the handle function of the middleware you just created do something like:

namespace App\Http\Middleware;
use Closure;

public function handle($request, Closure $next)
{
     $response = $next($request);
     $response->header('X-Frame-Options', 'ALLOW FROM https://example.com/');
     return $response;
 }

You can then add this to one of the middleware arrays in Kernel.php

protected $middleware = [
    App\Http\Middleware\FrameHeadersMiddleware::class
];

Or to one of the middleware group arrays if you want to add it only to specific routes.

Bornstein answered 21/1, 2017 at 12:33 Comment(7)

Thanks, I have tried this but did not work in nginx config file, is there anywhere else I could try it? – Hoag 21/1, 2017 at 13:20

@Hoag does that header come back in the response from the form? – Bornstein 21/1, 2017 at 13:56

No the same origin option comes back even when set as in your answer in nginx so I think laravel is changing it – Hoag 22/1, 2017 at 16:3

Try using a middlware to add the header to all outgoing responses. – Bornstein 22/1, 2017 at 16:4

how would i go about doing this? – Hoag 23/1, 2017 at 17:38

In Laravel as of today I'm seeing both headers so this is adding an additional header rather than replacing it. – Prudery 6/8, 2019 at 12:59

Unfortunately this is now not advised as an approach developer.mozilla.org/en-US/docs/Web/HTTP/Headers/… – Doleful 18/5, 2022 at 9:52

In my case, nginx was the one preventing the access.

Run:

grep -ri "X-Frame-Options" /etc/nginx

And check the output:

/etc/nginx/snippets/ssl-params.conf:add_header X-Frame-Options DENY;

After replacing DENY to SAMEORIGIN everything started working as expected.

Zenithal answered 13/6, 2017 at 17:26 Comment(1)

Ty good sir, this was my issue as well. I instead just commented out the line since my desire is to allow my page to be iframed anywhere – Skirting 14/7, 2017 at 14:0

Recommended topics

Hot tags