Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Override HTTP header's default settings (X-FRAME-OPTIONS)

I'm working with the dev version of Laravel (4.1.*) and there is a new default configuration that I don't want : X-Frame-Options: SAMEORIGIN

For the moment I disable it by deleting one line in Illuminate\Http\FrameGuard.php

I'm looking for a better solution. I've try in the filtre.php file :

App::after(function($request, $response) {
   $response->header('X-Frame-Options', 'ALLOW-ALL');
});

But it just adds the option (X-Frame-Options:ALLOW-ALL, SAMEORIGIN), whereas I need an override.

like image 410
Fractaliste Avatar asked Nov 29 '13 20:11

Fractaliste


Video Answer


2 Answers

Laravel doesn't provide any configuration to disable this functionality.

According to Taylor Otwell, the only way to bypass it is by adding the following line into the start file:

App::forgetMiddleware('Illuminate\Http\FrameGuard');

The dirty solution is to comment the guilty line:

$response->headers->set('X-Frame-Options', 'SAMEORIGIN', false);

Edit (Jan 29th 2014): new info from Taylor Otwell on GitHub about next Laravel's policy.

Removing this by default in 4.2. Should be in an after filter - will leave FrameGuard class so people can add the middleware manually if they want.

like image 197
Fractaliste Avatar answered Oct 09 '22 22:10

Fractaliste


The third parameter of the header method should serve your needs.

like image 45
peaceman Avatar answered Oct 09 '22 20:10

peaceman