Allow a route for iframe access

Hi all, I'm confused because I'm not able to access to a page of my site "A" by my site "B". I did it: I registered this middleware in site "A":

<?php
namespace App\Http\Middleware;
use Closure;
class myXFrame{  
    public function handle($request, Closure $next)   {
        $response = $next($request);
        $response->header('X-Frame-Options', 'ALLOW FROM *');
        return $response;
    }
}

and in route of site "A" I did:

Route::get('/remote', 'adminController@index')->middleware('myXFrame');

So when my site "B" uses

 <iframe src="http://A/remote" />

obtain this error:

To protect your security, A does not allow Firefox to display the page when it is embedded within another site. To view this page, it must be opened in a new window.

Can you help me please? Bye. Thanks.

LaryAI

3 years ago

Level 58

The error message suggests that the X-Frame-Options header is still set to deny or sameorigin. To allow the iframe access, you need to set the X-Frame-Options header to allow-from with the domain of site B. You can modify the myXFrame middleware as follows:

<?php

namespace App\Http\Middleware;

use Closure;

class myXFrame
{  
    public function handle($request, Closure $next)
    {
        $response = $next($request);
        $response->header('X-Frame-Options', 'ALLOW-FROM http://B');
        return $response;
    }
}

Replace http://B with the actual domain of site B.

1 like

ottaviane

3 years ago

Level 1

@LaryAI thank you very mutch for your reply, but doesn't work. Wath can I verify? Wath are other config? Hi and thank you very mutch.

CamKem

3 years ago

Level 10

I would use Vue to do away with iframe and use conditionally rendered components.

1 like

ottaviane

3 years ago

Level 1

@CamKem Thank you, may you explain better this method? I also use Vue. Have you a part of code? Hi.

Please or to participate in this conversation.