1

I am getting same error again and again. I have used helmet for X-Frame-Options and for other headers use access-allow. In firefox Console shows "Load denied by X-Frame-Options: does not permit framing." In chrome console shows "Refused to display in a frame because it set 'X-Frame-Options' to 'sameorigin'." Please give me some solution. Any suggestion will be appreciated. Here is the code:

var app = express();
var helmet = require('helmet');
app.use(helmet({
  frameguard: {
    action: 'allow-from',
    domain: 'https://calendar.google.com/calendar/'
  }
}))

var enableCORS = function(req, res, next) {
  res.header('Access-Control-Allow-Origin', '*');
  res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
  res.header('Access-Control-Allow-Headers', 'Content-Type, token, Content-Length, X-Requested-With, *');
  if ('OPTIONS' === req.method) {
    res.sendStatus(200);
  } else {
    next();
  }
};
app.all("/*", function(req, res, next) {
  res.header('Access-Control-Allow-Origin', '*');
  res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
  res.header('Access-Control-Allow-Headers', 'Content-Type, token, Content-Length, X-Requested-With, *');
  // res.set('X-Frame-Options', 'ALLOW-FROM htps://google.com/');
  next();
});
app.use(enableCORS);
Jayna Tanawala
  • 475
  • 10
  • 27

1 Answers1

1

Your configuration does the opposite :

  frameguard: {
               action: 'allow-from',
               domain: 'https://calendar.google.com/calendar/'
              }

will allow https://calendar.google.com/calendar/ to put your page in an iframe. Some websites will not allow other websites to frame their content, and that's why you got the error, because if https://calendar.google.com/calendar/ sets X-Frame-Options to DENY , SAMEORIGIN or ALLOW-FROM http://example.com where http://example.com is some other domain different from yours, you can't frame any of https://calendar.google.com/calendar/ content.

Take a look here and here for more informations.

Hamza Fatmi
  • 1,235
  • 8
  • 10
  • 1
    Yes.. X-Frame-Options is not allowing me to render the contents from google calendar. But requirement is to load google calendar in iframe!! Is there any way to allow?? – Jayna Tanawala Apr 16 '18 at 12:26
  • X-Frame-Options will not enable you to load google calendar in an iframe, you can't do that unfortunately since you don't have any control over their config. – Hamza Fatmi Apr 16 '18 at 13:20
  • So is this a required evil to have on a site if you need Google Calendar? – klewis Mar 18 '21 at 13:11