X-Frame-Options header is not a recognized directive

Question

I am using Nextcloud (on Nginx) for a while now and I want to iframe it for another website. However the header does not accept my directives.

I changed the header option in /var/www/nextcloud/lib/private/legacy/response.php into the following:

header('X-Frame-Options: ALLOW-FROM https://example.com');

However when I make an example webpage with an iframe it gives me the following error:

Invalid 'X-Frame-Options' header encountered when loading 'https://nextcloud.example.com/apps/files/': 'ALLOW-FROM https://example.com' is not a recognized directive. The header will be ignored.

Does anyone have an idea why this does not work?

score 28 · Answer 1 · answered Nov 29 '19 at 12:41

28

allow-from is 'obsolete'. You can use the Content-Security-Policy header instead:

header('Content-Security-Policy: frame-ancestors https://example.com');

answered Nov 29 '19 at 12:41

R. Oosterholt

7,720
2
53
77

score 14 · Accepted Answer · answered Dec 19 '17 at 12:36

To come back to this post. Unfortunatly I found the problem. Chrome does not support this option, therefore Chrome gives me the error that the iframe redirected me to many times.

However the option works on Firefox (More information here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).

X-Frame-Options header is not a recognized directive

2 Answers2