I want to open DeveloperPortal from External resource or Html using Iframe tag.
When we try to open a developer portal in this way, the browser is giving me an error, as in dev-issue image, attached here.
The browser shows as X-Frame-options set as "Same origin" and hence the browser will not display it in an iframe, cross origin.
Solved! Go to Solution.
By default, Drupal v7 emits the X-Frame-Options header to prevent clickjacking.
You can change this behavior. For information on how, see here, and look for "How to override the default behavior."
Maybe you wish to use ALLOW-FROM with the url of the site that will embed the drupal site in the iframe.
Just curious: why force the portal to show up in an iframe?
By default, Drupal v7 emits the X-Frame-Options header to prevent clickjacking.
You can change this behavior. For information on how, see here, and look for "How to override the default behavior."
Maybe you wish to use ALLOW-FROM with the url of the site that will embed the drupal site in the iframe.
Just curious: why force the portal to show up in an iframe?
Actually we have an application which is hosted on tomcat . And we want to provide the link of deevloper portal instance which will be installed in our private cloud . So when we click on the link of developer portal on falcon .then we get above error
I see. But why an iframe? Why not allow the link to be a regular hyperlink?
But you don't need to explain that to me. It's your decision. But you can fixup the ALLOW-FROM with the right Drupal configuration.
@Dino it works when I override$conf[ x-frame-options] =''
But I want to do
$conf[x-frame-options]='allow-from http://dynamic-url.mydomain.com'
How do I solve this, shall I put just my domain.com or *.my domain.com?
Regards
Arpit
Per this answer: http://stackoverflow.com/a/21329576/48082
...you cannot allow multiple (wildcard) domains in an x-frame-options header.
So what you would need to do is, in drupal, dynamically set the x-frame-options header depending on the inbound referer header, but only if the inbound matches the wildcard *.mydomain.com .
Domain will always be constant . The complete URL will vary.
Example : it could be http://x.mydomain.com or http://y.mydomain.com
Question is that will this work?
$conf[x-frame-options]='allow-from *.my domain.com'
Regards
Arpit
Hi Arpit,
I understand the question you're asking, but I think you are not understanding the response I've already given. I have no new information to offer beyond what I've already provided, so I will try to say it a different way:
But I am not an expert on this. The question you are asking is not directly related to Apigee Edge or the Edge developer portal. The issue is with x-frame-options, which is a browser security mechanism. And specifically how to use it in your particular set up.
Therefore I think I have given you all the help I know how to give. I suggest that you try what I suggested above. Test it out. I expect you will find the approach that works for you.
Thanks Dino.