Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

libertey's avatar

Iframe handling with Headers 'X-Frame-Options' and SAMEORIGIN

Hey, I'm building right now a small snippet of a player from another website, I want to include that player via an iframe to any other website we are using. Now there are some complications because Firefox won't load the content of that website because of wrong headers. I already created middleware for these 4 routes I'm using but it will not work, but only if the website is in production if it's set locally and the server is running I can implement the iframe. Is there more of a problem with the server-side headers so that I have to adjust it in Nginx or is there any workaround to get that working with laravel middlewares? I will attach the Routes I'm using and the middleware.

use Closure;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Http\Response;

class CorsMiddleware
{
    /**
     * Handle an incoming request.
     *
     * @param Request $request
     * @param Closure(\Illuminate\Http\Request): (\Illuminate\Http\Response|\Illuminate\Http\RedirectResponse)  $next
     * @return Response|RedirectResponse|JsonResponse
     */
    public function handle(Request $request, Closure $next): Response|RedirectResponse|JsonResponse
    {
        $response = $next($request);
        $response->headers->set('Access-Control-Allow-Origin', '*');
        $response->headers->set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
        $response->headers->set('Access-Control-Allow-Headers', 'ACCEPT, CONTENT-TYPE, X-CSRF-TOKEN');
        $response->headers->set('X-Frame-Options',  'ALLOWALL');

        return $response;
    }
}

And the Routes...

Route::middleware(['cors'])->group(function () {
    Route::get('/player/{season:slug}/{track}/{size?}/color={color?}', [PlayerController::class, 'showPlayer']);
    Route::get('/player', [PlayerController::class, 'index'])->name('player.index');
    Route::get('/player/random/{size?}/color={color?}', [PlayerController::class, 'randomizer'])->name('player.random');
    Route::get('/player/{season}', [PlayerController::class, 'view'])->name('player.view');
});

The Middleware is also already in the Kernel connected. If someone has a clue how i can get that working i would appreciate it.

0 likes
1 reply
libertey's avatar

UPDATE: I looked up my config from the production server and commented out the same-origin line in there.

#add_header X-Frame-Options "SAMEORIGIN"; // That one 
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

Now it's working fine, but now the problem is the whole website is now available via an Iframe that's not how it should be, it should only be like the routes in above. So another question is there any possibility to handle the headers completely via an middleware?

Please or to participate in this conversation.