26

I'm going to create a website which — in addition to its own content — would have links (in iframes) to the world biggest newspaper websites like New York Times, Financial Times and some other.

But I've faced with a problem of framing permission. For example, NY Times shows me an error Load denied by X-Frame-Options: http://www.nytimes.com/ does not permit framing. I have read many forums and didn't found a workable solution. Tried to add Header always append X-Frame-Options SAMEORIGIN into .haccess file but it didn't help. Is there any way to solve this problem?

Félix Adriyel Gagnon-Grenier
  • 8,422
  • 10
  • 52
  • 65
Amonnn
  • 301
  • 1
  • 4
  • 7
  • Possible duplicate of [How Can I Bypass the X-Frame-Options: SAMEORIGIN HTTP Header?](https://stackoverflow.com/questions/2783095/how-can-i-bypass-the-x-frame-options-sameorigin-http-header) – Quentin Dec 24 '18 at 15:09

3 Answers3

33

Some websites have a server setting that will not allow other websites to "frame" their content. This is mainly to protect their copyrights and direct traffic to their websites only.

This is typically done by adding the following to Apache's configuration ( httpd.conf file):

Header always append X-Frame-Options SAMEORIGIN

Unfortunately, there is really nothing you can do about it if you want to frame the website.

itoctopus
  • 4,133
  • 4
  • 32
  • 44
  • 14
    copyrights are not the only reason. cross site scripting attacks are the main reason for this reader. – MovGP0 Dec 19 '17 at 16:02
7

If your goal isn't to build a website (intended for others to visit) which embeds other websites inside your own, and this is truly for personal use, then a solution is to search for and install any add-on that lets you modify response headers, or even more poignant - get the "Ignore X-Frame-Options" add-on.

These add-ons will intercept the response from the remote server and allow you to replace the X-Frame-Options header value with ALLOWALL - which in turn will cause your browser to allow the response to be embedded in a frame.

As it turns out, another SO question even discusses the code required to write your own add-on that does this: Disable X-Frame-Option on client side

Alain
  • 26,663
  • 20
  • 114
  • 184
-2

Just add Ignore X-Frame-Options Header by ThomazPom this addon on mozzila and it will work fine. And There is no other solution. Below is the link

https://addons.mozilla.org/en-US/firefox/addon/ignore-x-frame-options-header/

Nikunj Kayasth
  • 29
  • 3
  • 6
    If the user is creating a website that other people are supposed to visit, how does this extension help? Does everyone who ever visits his website have to be using Firefox and have this extension installed? – Alain Dec 31 '18 at 13:28
  • 1
    @Alain it's impossible to fix server-side -- that's literally the entire point of the header, to allow content owners to control whether another site can frame their content; to protect intellectual property, ad revenue, and (most importantly) to protect against cross-site scripting. – Doktor J Jun 18 '19 at 16:40
  • As for personal use, this is perfect. The addon supports whitelist, but is enabled to **all** websites by default. For those wanting to use this extension, **DON'T** have this enabled for all websites – Typewar Mar 03 '20 at 15:02