New X-Frame-Options settings breaks the Media Browser window

rpet2
Participant I

I just updated to Developer Services 17.02.21.00 yesterday, and when trying to edit a node and add an image via the Media browser WYSIWYG, you just get a white screen and it is blocked from loading because of a new setting in the apigee_profile_updates module:

/**
 * Set X-Frame-Options header to DENY.
 */
function apigee_profile_updates_update_7108() {
  variable_set('x_frame_options', 'DENY');
  drupal_theme_rebuild();
}

I think this should be set to SAMEORIGIN? As it is, the WYSIWYG editor is completely broken for adding/editing media on a page.

2 10 649
10 REPLIES 10

Not applicable

Thanks for reporting this. I am creating an internal ticket to address this.

As a temporary workaround, using drush you can reset this as follows:

drush vset x_frame_options SAMEORIGIN

Let me know if you do not have drush access.

I'm hosted on Pantheon, I'll have to fix it via my own update hook. No problem. Just wondering why this was done, and seems like it wasn't tested thoroughly.

For others that will look like this (put this in your own custom module's .install file):

/**
 * Set X-Frame-Options header to SAMEORIGIN.
 */
function custommodulename_update_N() {
  variable_set('x_frame_options', 'SAMEORIGIN');
  drupal_theme_rebuild();
}

And replace the "N" with the next highest number for your update hooks.

I have recently installed developer portal , I face the same issue

trying to execute your above drush command getting the below error :

[apigee@apigeeDevPortal apigee-drupal]$ drush vset x_frame_options SAMEORIGIN

Command variable-set needs a higher bootstrap level to run - you will need to invoke drush from a more functional Drupal [error] environment to run this command.

Command variable-set requires Drupal core version 6 or 7 to run. [error] The drush command 'vset x_frame_options SAMEORIGIN' could not be executed. [error]

Your Support Will be Highly appreciated.

You will get that error if you are not in the webroot of the Drupal install, Drush is not sure what installation you want to work against. If you are running the latest versions of private cloud (OPDK) the webroot is /opt/apigee/apigee-drupal/wwwroot. cd into that directory and run the command again.


https://docs.apigee.com/private-cloud/v4.18.01/commonly-used-drush-commands

Another way is to use devel module. After enabling the module go to <hostname>?q=devel/variable (or just <hostname>/devel/variable if you have clean urls on), find the variable you need to change from the table and click on edit next to it.

Not applicable

Have you looked into the Security Kit module? It allows setting this value as well as configuring many other security-hardening tactics.

I submitted a patch to the Security Kit team to allow whitelisting the media-browser URL when X-Frame-Options is set to Deny. We'll see if it goes anywhere.

I recently installed apigee developer portal and facing the same issue. Could You please advice?

It looks like this fix was missed and not put in place @Shawky Foda, but it will be out in the next release in about a month. I am sure you do not want to wait until then, so you can fix this issue by setting the x_frame_options Drupal variable as discussed above.

devin15
Participant I

I fixed this on on Pantheon by installing Terminus and running:

terminus drush <site>.<env> -- vset x_frame_options SAMEORIGIN

Thank you!! This worked for me!!