I had a similar issue, where I was trying to display content from our own site in an iframe (as a lightbox-style dialog with Colorbox), and where we had an server-wide "X-Frame-Options SAMEORIGIN" header on the source server preventing it from loading on our test server.
This doesn't seem to be documented anywhere, but if you can edit the pages you're trying to iframe (eg., they're your own pages), simply sending another X-Frame-Options header with any string at all disables the SAMEORIGIN or DENY commands.
eg. for PHP, putting
<?php
header('X-Frame-Options: GOFORIT');
?>
at the top of your page will make browsers combine the two, which results in a header of
X-Frame-Options SAMEORIGIN, GOFORIT
...and allows you to load the page in an iframe. This seems to work when the initial SAMEORIGIN command was set at a server level, and you'd like to override it on a page-by-page case.
All the best!
I had a frame around a website. On my website, I'm redirecting to Instagram for OAUTH. Since Instagram sends
X-Frame-Options: SAMEORIGINthere is no way to do this inside the frame. You must use a popup.With PHP it's probably better to use the new
header_removefunction, provided you have it available (>=5.3.0).Or you can edit .htaccess if you want to remove X-Frame-Options from an entire directory. Just add the line:
Header always unset X-Frame-Options@cawecoy: Well yes, the whole point is that it's invalid. It relies on browsers ignoring the invalid header and ‘failing open’, which is unspecified behaviour and pretty dodgy to rely on.
GOFORIT(or other random arbitrary invalid token) is deliberately breaking a security measure applied by a server; if you have control of the server yourself (which you should do for any real public service) then the correct thing to do is just set the server not to set the header in the first place.This doesn't seem to work any longer in Chrome. Invalid values cause the value to default to DENY.