10

i'm using http://www.jacklmoore.com/colorbox to display the content of an url in a lightbox. after implementation, the colorbox did'nt showed anything.

Later, i noticed the following error in chrome logs:

Refused to display document because display forbidden by X-Frame-Options.

so after documenting i added the following line to the root .htaccess of the website :

Header always append X-Frame-Options SAMEORIGIN

to allow iframe embedding on my own domain.

But i still get the error, i'm newbie to x-frame, and i'm working on an existing application, so i thought the .htaccess solution would be nice, but can it be overrided by some code ? Notice that it's not in the server configuration.

bogatyrjov
  • 5,317
  • 9
  • 37
  • 61
SupFrig
  • 365
  • 2
  • 7
  • 22

5 Answers5

19

Try sending another X-Frame-Options header, add

<?php header('X-Frame-Options: GOFORIT'); ?>

to the top of your page. It should disable the SAMEORIGIN command.

bogatyrjov
  • 5,317
  • 9
  • 37
  • 61
  • i tested it without success, then i gave up and made my popin inline >.< But it's still weird, SAMEORIGIN should allow me to embed iframe in my domain. – SupFrig Aug 30 '12 at 11:05
  • 1
    After trying a whole bunch of other "fixes" to get Wordpress to render in an iFrame, this FINALLY was teh one that made it work for me! – dano Aug 05 '14 at 20:19
  • Hi, i try this but i dont have success, cau you tell me where i need put this in my wordpress site? thanks – Laranja Mecânica Oct 03 '16 at 11:01
  • 2
    A much more secure option is ``, where `https://example.com` is the site you want to allow to display the page in an iframe. [(Documentation)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) – rinogo Nov 02 '18 at 18:23
6

According to the moz dev pages. Here is the definition of the

SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself.

It mean that only if you are including some page from your site would be shown.
Let suppose

  1. you have a website on http://foo.com and you want something to show in iframe from the http://foo.com/sec_page it would show up in iframe
  2. but if you embed the same iframe(http://foo.com/sec_page) to load in http://bar.com then it would not display anything. As the origin would be changed.

You can read the full note here

wesleys
  • 45
  • 8
Hammad
  • 1,268
  • 15
  • 27
2

You can remove the header from the response you get:

header_remove("X-Frame-Options");

user_stackoverflow
  • 734
  • 2
  • 10
  • 18
2

I've added this in httpd.conf:

 Header unset X-Frame-Options

And it works.

sehrob
  • 1,034
  • 12
  • 24
user3467449
  • 21
  • 1
0

Set XFrame Options to DENY or Sameorigin. Else it may help in crafting phishing attacks or Frame injections if your site is vulnerable to XSS attack.

Citricguy
  • 412
  • 7
  • 21
AvinashSinha IT-SecurityExpert
  • 11
  • 1