Menu
i'm using http://www.jacklmoore.com/colorbox to display the content of an url in a lightbox. after implementation, the colorbox did'nt showed anything.
Later, i noticed the following error in chrome logs:
Refused to display document because display forbidden by X-Frame-Options.
so after documenting i added the following line to the root .htaccess of the website :
Header always append X-Frame-Options SAMEORIGIN
to allow iframe embedding on my own domain.
But i still get the error, i'm newbie to x-frame, and i'm working on an existing application, so i thought the .htaccess solution would be nice, but can it be overrided by some code ? Notice that it's not in the server configuration.
719
X-Frame-Options:SAMEORIGIN - This means that the page can only be embedded in a frame on a page with the same origin as itself. X-Frame-Options:ALLOW-FROM - The page can only be displayed in a frame on the specified origin. This only works in browsers that support this header.
X-Frame-Options prevents webpages from being loaded in iframes, which prevents it from being overlaid over another website. The victim's browser actually applies the security control, this is because all browsers respect the X-Frame-Options header and will refuse to load any webpages with the header set in a frame.
Allowing all domains is the default. Don't set the X-Frame-Options header at all if you want that. Note that the successor to X-Frame-Options — CSP's frame-ancestors directive — accepts a list of allowed origins so you can easily allow some origins instead of none, one or all. Save this answer.
I've added this in httpd.conf:
Header unset X-Frame-Options
And it works.
107
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
