Menu
I'm trying to implement an embeddable widget, functioning similar to a Twitter embedded tweet. The simplest solution, though maybe not the best, appears to be an iframe or HTML5 embed - but both are being blocked by the X-Frame-Options header on the server.
I'm running PHP 5.3 and Apache 2.2 on a dedicated server under my full control.
I've tried placing on the first line of the very first line of the iframe PHP file:
header_remove("X-Frame-Options");
I've tried adding the following to .htaccess:
Header unset X-Frame-Options
I've checked httpd.conf, the vhost .conf file, even PHP.INI, and searched for "x-frame" - nothing apparently relevant in either.
No mod_security or other plugins that should be injecting this on this server that I see.
Yet curl verifies the following HTTP header no matter what I do:
X-Frame-Options: DENY
Is there some, maybe oddly named setting somewhere that could still be forcing this header in?
310
There are three options available to set with X-Frame-Options: 'SAMEORIGIN' – With this setting, you can embed pages on same origin. For example, add iframe of a page to site itself. 'ALLOW-FROM uri – Use this setting to allow specific origin (website/domain) to embed pages of your site in iframe.
You can remove the HTTP header X-Frame-Options: SAMEORIGIN from WordPress by removing the send_frame_options_header function from the admin_init and login_init hooks.
Consider the following experiment:
Header always set X-Frame-Options "DENY"
Header unset X-Frame-Options
Header set set X-Frame-Options "TEST"
response headers:
X-Frame-Options "DENY"
X-Frame-Options "TEST"
Second experiment:
Header set X-Frame-Options "DENY"
Header unset X-Frame-Options
Header set set X-Frame-Options "TEST"
response headers:
X-Frame-Options "TEST"
Conclusion: the always option blocks the original value from being unset, however it doesn't block from adding a new value.
60
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
