Override HTTP header's default settings (X-FRAME-OPTIONS)

Question

I'm working with the dev version of Laravel (4.1.*) and there is a new default configuration that I don't want : X-Frame-Options: SAMEORIGIN

For the moment I disable it by deleting one line in Illuminate\Http\FrameGuard.php

I'm looking for a better solution. I've try in the filtre.php file :

App::after(function($request, $response) {
   $response->header('X-Frame-Options', 'ALLOW-ALL');
});

But it just adds the option (X-Frame-Options:ALLOW-ALL, SAMEORIGIN), whereas I need an override.

Answer 1

Laravel doesn't provide any configuration to disable this functionality.

According to Taylor Otwell, the only way to bypass it is by adding the following line into the start file:

App::forgetMiddleware('Illuminate\Http\FrameGuard');

The dirty solution is to comment the guilty line:

$response->headers->set('X-Frame-Options', 'SAMEORIGIN', false);

---

Edit (Jan 29th 2014): new info from Taylor Otwell on GitHub about next Laravel's policy.

Removing this by default in 4.2. Should be in an after filter - will leave FrameGuard class so people can add the middleware manually if they want.

Answer 2

The third parameter of the header method should serve your needs.