Add multiple domains in x-frame-options on header with Laravel

Question

I would like to add multiple domains in X-Frame-Options, because I must authorize facebook and messenger.

I tried many things, for example...

I created a middleware :

<?php

namespace App\Http\Middleware;

use Closure;

class FrameHeadersMiddleware
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        $response = $next($request);

        $response->header('X-Frame-Options', 'ALLOW FROM https://www.messenger.com/');
        $response->header('X-Frame-Options', 'ALLOW FROM https://www.facebook.com/');

        return $response;
    }
}

But only facebook is added...

Edit : I use the http referer with this :

    <?php

    namespace App\Http\Middleware;

    use Closure;
    use Request;

    class FrameHeadersMiddleware
    {
        /**
         * Handle an incoming request.
         *
         * @param  \Illuminate\Http\Request  $request
         * @param  \Closure  $next
         * @return mixed
         */
        public function handle($request, Closure $next)
        {
            $response = $next($request);

            if(Request::server('HTTP_REFERER') === 'www.messenger.com'){
                $response->header('X-Frame-Options', 'ALLOW FROM https://www.messenger.com/');
            }

            if(Request::server('HTTP_REFERER') === 'www.facebook.com'){
                $response->header('X-Frame-Options', 'ALLOW FROM https://www.facebook.com/');
            }

            return $response;
        }
    }

That is not possible this way. You can not specify the header multiple times, and it allows for only one URI. You need to output it specifically for whatever domain is framing your stuff in the first place. — CBroe, May 22 '18 at 13:26
@apokryfos I read this here https://developers.facebook.com/docs/messenger-platform/webview/extensions#iframe — Jérémie Chazelle, May 22 '18 at 13:39
I would like to use the webview, it's work, but on desktop, I have not the "modal", there is a redirection in a new tab and I would like to have a modal (own an iFrame) @apokryfos — Jérémie Chazelle, May 22 '18 at 13:43
@CBroe do you have a documentation please ? I read this https://developers.facebook.com/docs/messenger-platform/webview/extensions#iframe — Jérémie Chazelle, May 22 '18 at 14:02

score 1 · Answer 1 · edited Oct 07 '21 at 10:55

1

You can't have multiple X-Frame-Options headers at the same time.

See the specification:

2.3.2.3. Usage Design Pattern and Example Scenario for the ALLOW-FROM Parameter

As the "ALLOW-FROM" field only supports one serialized-origin, in
cases when the server wishes to allow more than one resource to frame its content, the following design pattern can fulfill that need:

A page that wants to render the requested content in a frame supplies its own origin information to the server providing the content to be framed via a query string parameter.

The server verifies that the hostname meets its criteria, so that the page is allowed to be framed by the target resource. This may, for example, happen via a lookup of a whitelist of trusted domain names that are allowed to frame the page. For example, for a Facebook "Like" button, the server can check to see that the supplied hostname matches the hostname(s) expected for that "Like" button.

The server returns the hostname in "X-Frame-Options: ALLOW-FROM" if the proper criteria was met in step #2.

The browser enforces the "X-Frame-Options: ALLOW-FROM" header.

edited Oct 07 '21 at 10:55

Community

1
1

answered May 22 '18 at 13:25

Quentin

914,110
126
1,211
1,335

and the workaround here is to do something like (edited) `if($_SERVER['HTTP_ORIGIN'] === 'www.messenger.com') { $response->header('X-Frame-Options', 'ALLOW FROM https://www.messenger.com/'); }` in the middleware. – ceejayoz May 22 '18 at 13:29
@ceejayoz — No. If that worked, then you could just do "SAME ORIGIN". Do what I quoted in my answer. – Quentin May 22 '18 at 13:30
This *is* what's in your answer - it's code for implementing #2 and #3. – ceejayoz May 22 '18 at 13:32
@ceejayoz — No. `$request->getHttpHost()` will give you the host name of the site that hosts the page being loaded into the iframe. You need to check the host of the page with the `` tag in it. – Quentin May 22 '18 at 13:32
Ah! Need more coffee. I see it now. `if($_SERVER['HTTP_ORIGIN']` instead. – ceejayoz May 22 '18 at 13:33

Add multiple domains in x-frame-options on header with Laravel

1 Answers1