S
S
smilelan2020-07-07 20:07:50
HTTP headers
smilelan, 2020-07-07 20:07:50

How to change permissions on X-Frame-Options?

When inserting an iframe into a post on a website, an error appears in the console in a frame because it set 'X-Frame-Options' to 'deny'. (iframe does not work accordingly) set the htaccess value to SAMEORIGIN , the error remained unchanged, in the worpdess configs the same set this value, maybe there should be some other value? I ask you for help. Thank you.

Answer the question

In order to leave comments, you need to log in

2 answer(s)
S
smilelan, 2020-07-08
@smilelan

up

G
granty, 2020-09-29
@granty

I'll leave the answer for posterity, since the topic starter did not wait for it.
1. SAMEORIGIN means same schema / host / port number . That is, on the http:// site.ru page with the X-Frame-Options SAMEORIGIN header, the iframe is not allowed to be loaded via https:// . from http:// www.site.ru - also not allowed . 2. In rfc7034, the X-Frame-Options header was ambiguous, so in the case of multiple nesting of iframes, some browsers check for SAMEORIGIN only the top-level document, others check the entire iframe nesting chain.
Therefore, "the dog could rummage" both in p1 and p2.
If the HTTP header is published in the .htaccess file, it makes no sense to publish it in the worpdess configs, since .htaccess takes precedence and will overwrite the header from PHP header().
A 100% option to allow iframes with SAMEORIGIN is to specify the domains allowed for iframes in the frame-ancestors directive, which overrides X-Frame-Options .

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question