Solved: How to handle X-frame-Options response header?

Report Inappropriate Content · 11-28-2016 12:36 AM

I want to open DeveloperPortal from External resource or Html using Iframe tag.

When we try to open a developer portal in this way, the browser is giving me an error, as in dev-issue image, attached here.

The browser shows as X-Frame-options set as "Same origin" and hence the browser will not display it in an iframe, cross origin.

dev-issue.png dev-issue1.png

DChiesa

By default, Drupal v7 emits the X-Frame-Options header to prevent clickjacking.

You can change this behavior. For information on how, see here, and look for "How to override the default behavior."

Maybe you wish to use ALLOW-FROM with the url of the site that will embed the drupal site in the iframe.

Just curious: why force the portal to show up in an iframe?

View solution in original post

DChiesa

By default, Drupal v7 emits the X-Frame-Options header to prevent clickjacking.

You can change this behavior. For information on how, see here, and look for "How to override the default behavior."

Maybe you wish to use ALLOW-FROM with the url of the site that will embed the drupal site in the iframe.

Just curious: why force the portal to show up in an iframe?

Report Inappropriate Content

Actually we have an application which is hosted on tomcat . And we want to provide the link of deevloper portal instance which will be installed in our private cloud . So when we click on the link of developer portal on falcon .then we get above error

DChiesa

I see. But why an iframe? Why not allow the link to be a regular hyperlink?

But you don't need to explain that to me. It's your decision. But you can fixup the ALLOW-FROM with the right Drupal configuration.

Report Inappropriate Content

@Dino it works when I override$conf[ x-frame-options] =''

But I want to do

$conf[x-frame-options]='allow-from http://dynamic-url.mydomain.com'

How do I solve this, shall I put just my domain.com or *.my domain.com?

Regards

Arpit

DChiesa

Per this answer: http://stackoverflow.com/a/21329576/48082

...you cannot allow multiple (wildcard) domains in an x-frame-options header.

So what you would need to do is, in drupal, dynamically set the x-frame-options header depending on the inbound referer header, but only if the inbound matches the wildcard *.mydomain.com .

Report Inappropriate Content

Domain will always be constant . The complete URL will vary.

Example : it could be http://x.mydomain.com or http://y.mydomain.com

Question is that will this work?

$conf[x-frame-options]='allow-from *.my domain.com'

Regards

Arpit

DChiesa

Hi Arpit,

I understand the question you're asking, but I think you are not understanding the response I've already given. I have no new information to offer beyond what I've already provided, so I will try to say it a different way:

you cannot use wildcard domains in an x-frame-options header. (See the stackoverflow link I cited).
if the referer is x.mydomain.com, then you can use ALLOW-FROM with x.mydomain.com, whereas if the referer is y.mydomain.com then you can use ALLOW-FROM with y.mydomain.com. This will require some coding on the drupal side. You will need to check the referer against a list of trusted referers. The X-frame-options is checked only when the iframe is initialized. You need to pass it back only on the first request. Simply check the referer and build the appropriate response header at that point.

But I am not an expert on this. The question you are asking is not directly related to Apigee Edge or the Edge developer portal. The issue is with x-frame-options, which is a browser security mechanism. And specifically how to use it in your particular set up.

Therefore I think I have given you all the help I know how to give. I suggest that you try what I suggested above. Test it out. I expect you will find the approach that works for you.

Report Inappropriate Content

Thanks Dino.