I'm writing a tiny webpage whose purpose is to frame a few other pages, simply to consolidate them into a single browser window for ease of viewing. A few of the pages I'm trying to frame forbid being framed and throw a "Refused to display document because display forbidden by X-Frame-Options." error in Chrome. I understand that this is a security limitation (for good reason), and don't have access to change it.
Is there any alternative framing or non-framing method to display pages within a single window that won't get tripped up by the X-Frame-Options header?
I had a similar issue, where I was trying to display content from our own site in an iframe (as a lightbox-style dialog with Colorbox), and where we had an server-wide "X-Frame-Options SAMEORIGIN" header on the source server preventing it from loading on our test server.
This doesn't seem to be documented anywhere, but if you can edit the pages you're trying to iframe (eg., they're your own pages), simply sending another X-Frame-Options header with any string at all disables the SAMEORIGIN or DENY commands.
eg. for PHP, putting
<?php
header('X-Frame-Options: GOFORIT');
?>
at the top of your page will make browsers combine the two, which results in a header of
X-Frame-Options SAMEORIGIN, GOFORIT
...and allows you to load the page in an iframe. This seems to work when the initial SAMEORIGIN command was set at a server level, and you'd like to override it on a page-by-page case.
All the best!
I had a frame around a website. On my website, I'm redirecting to Instagram for OAUTH. Since Instagram sends
X-Frame-Options: SAMEORIGIN
there is no way to do this inside the frame. You must use a popup.With PHP it's probably better to use the new
header_remove
function, provided you have it available (>=5.3.0).Or you can edit .htaccess if you want to remove X-Frame-Options from an entire directory. Just add the line:
Header always unset X-Frame-Options
@cawecoy: Well yes, the whole point is that it's invalid. It relies on browsers ignoring the invalid header and ‘failing open’, which is unspecified behaviour and pretty dodgy to rely on.
GOFORIT
(or other random arbitrary invalid token) is deliberately breaking a security measure applied by a server; if you have control of the server yourself (which you should do for any real public service) then the correct thing to do is just set the server not to set the header in the first place.This doesn't seem to work any longer in Chrome. Invalid values cause the value to default to DENY.