Laravel refusing to display in iFrame as "'X-Frame-Options' to 'SAMEORIGIN'."

Question

So I have built a form in Laravel and am hosting externally but I want to display this within a HTML page but am having issues with the X-Frame-Options.

The exact error message is:

Refused to display 'url' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

I have seen on previous StackOverflow answers that this is due to FrameGuard Middleware but this has since been removed and the issue line of code is not in that file.

Laravel Version 5.3.

I have also tried to set the X-Frame-Options in the Nginx config file using the flooring with no result:

sed -i 's/http\ {/http\ {\nadd_header X-Frame-Options SAMEORIGIN, false;\n\n/' /etc/nginx/nginx.conf

This error is occurring in multiple browsers, tested: Chrome & Safari

Answer 1

In my case, nginx was the one preventing the access.

Run:

grep -ri "X-Frame-Options" /etc/nginx        

And check the output:

/etc/nginx/snippets/ssl-params.conf:add_header X-Frame-Options DENY;

After replacing DENY to SAMEORIGIN everything started working as expected.

Answer 2

Set your header on the response from the frame to

X-Frame-Options: ALLOW-FROM https://example.com/

where example.com is the domain requesting the form.

You could use middleware in laravel to do this.

Generate a new middleware.

php artisan make:middleware FrameHeadersMiddleware

then in the handle function of the middleware you just created do something like:

namespace App\Http\Middleware;
use Closure;

public function handle($request, Closure $next)
{
     $response = $next($request);
     $response->header('X-Frame-Options', 'ALLOW FROM https://example.com/');
     return $response;
 }

You can then add this to one of the middleware arrays in Kernel.php

protected $middleware = [
    App\Http\Middleware\FrameHeadersMiddleware::class
];

Or to one of the middleware group arrays if you want to add it only to specific routes.