Level 75
Have you tried some examples here https://www.w3schools.com/tags/tag_iframe.asp
Apr 11, 2017
10
Level 4
iframe and X-Frame-Options
Hi, hope somebody can help me, Im trying to allow some pages to be included in a iframe in another site, example: Facebook, but I can't see to find a way , Im always getting
Multiple 'X-Frame-Options' headers with conflicting values ('*, SAMEORIGIN') encountered when loading 'some url'. Falling back to 'DENY'.
I tried 2 ways:
Using Middleware:
class FrameHeadersMiddleware
{
public function handle($request, Closure $next)
{
$response = $next($request);
//$response->header('X-Frame-Options', 'ALLOWALL');
//$response->header('X-Frame-Options', 'ALLOW FROM https://www.facebook.com');
$response->headers->set('X-Frame-Options', '*');
return $response;
}
}
or maybe theres an easy way to put it directly in the controller:
return view('front.benefits')
->withHeaders('X-Frame-Options', 'ALLOWALL')
->with('somedata', $somedata);
Please, any one have manage to do this, Im using L5.4
Level 4
Hi, the problem is with the headers (X-Frame-Options')
Level 4
Im now trying this inside the blade, but still no luck
<?php header('X-Frame-Options: *'); ?>
Level 4
I finally learn you can turn this off in the forge->nginx config
Level 4
@nam_co how u can turn it off in the forge nginx config?
Level 4
Hi devwootbit, This is what I got:
#add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
4 likes
Level 1
I was confused searching nginx.config. As I am using Forge + Digital Ocean I found nginx.config and I added the X-Frame-Options header without any success. I was editing the wrong config file.
Adding to nam_co answer the way to find it is using console console to access your server:
grep -ri "X-Frame-Options" /etc/nginx (This will find your config file that your server is using)
Then comment the line #add_header X-Frame-Options "SAMEORIGIN"; (As nam_co said)
I edited my X-Frame-Options via FrameGuard Laravel Middleware:
$response->headers->set('X-Frame-Options', 'ALLOW FROM url', false);
That made it ;)
1 like
Level 3
@NAM_CO - Thanks, it solved the problem.
Level 1
This is now obsolete fyi in leu of the Content Security Policy header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
Level 1
This worked as of 5/2020
Please or to participate in this conversation.