Menu
I am using Nextcloud (on Nginx) for a while now and I want to iframe it for another website. However the header does not accept my directives.
I changed the header option in /var/www/nextcloud/lib/private/legacy/response.php into the following:
header('X-Frame-Options: ALLOW-FROM https://example.com');
However when I make an example webpage with an iframe it gives me the following error:
Invalid 'X-Frame-Options' header encountered when loading 'https://nextcloud.example.com/apps/files/': 'ALLOW-FROM https://example.com' is not a recognized directive. The header will be ignored.
Does anyone have an idea why this does not work?
540
Double-click the HTTP Response Headers icon in the feature list in the middle. In the Actions pane on the right side, click Add. In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field. Click OK to save your changes.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> , <iframe> , <embed> or <object> . Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.
allow-from is 'obsolete'. You can use the Content-Security-Policy header instead:
header('Content-Security-Policy: frame-ancestors https://example.com');
To come back to this post. Unfortunatly I found the problem. Chrome does not support this option, therefore Chrome gives me the error that the iframe redirected me to many times.
However the option works on Firefox (More information here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).
43
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
