Solved it by changing proxy_hide_header values in /etc/nginx/sites-available/default file like so: proxy_hide_header X-Frame-Options; Needed to restart nginx as well as use pm2 to restart my nodejs server (for some reason, it didn’t work till I made a small change to my server and restarted it).
If you set it, then you can only set it to DENY, SAMEORIGIN, or ALLOW-FROM (a specific origin). Allowing all domains is the default. Don’t set the X-Frame-Options header at all if you want that. Note that the successor to X-Frame-Options — CSP’s frame-ancestors directive — accepts a list of allowed origins so you can … Read more
You can’t set X-Frame-Options on the iframe. That is a response header set by the domain from which you are requesting the resource (google.com.ua in your example). They have set the header to SAMEORIGIN in this case, which means that they have disallowed loading of the resource in an iframe outside of their domain. For … Read more
Sinatra uses Rack::Protection, in particular the frame_options option, which is what is setting the X-Frame-Options header. You can configure which protections are used. Sinatra turns most of them on by default, (some are only enabled if you also are using sessions, and Rack::Protection itself doesn’t enable some by default). To prevent sending the X-Frame-Options header … Read more
in Chrome and Safari you need to use Content-Security-Policy Content-Security-Policy: frame-ancestors domain.com You can check more details on this site: https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives
You are going in the right direction, but exact decorator which you will need to achieve this is ‘xframe_options_exempt’. from django.http import HttpResponse from django.views.decorators.clickjacking import xframe_options_exempt @xframe_options_exempt def ok_to_load_in_a_frame(request): return HttpResponse(“This page is safe to load in a frame on any site.”) PS: DJango 1.6 is no longer supported. It is good time to … Read more
You can add to .htaccess, httpd.conf or VirtualHost section Header set X-Frame-Options SAMEORIGIN this is the best option Allow from URI is not supported by all browsers. Reference: X-Frame-Options on MDN
Try just to delete this header ‘X-Frame-Options’. Maybe this way in controller: before_filter :allow_iframe_requests … def allow_iframe_requests response.headers.delete(‘X-Frame-Options’) end
There’s no need for a custom HttpModule or ActionFilter if you need it for every page. https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options details a much simpler solution: To configure IIS to send the X-Frame-Options header, add this your site’s Web.config file: <system.webServer> <!– … –> <httpProtocol> <customHeaders> <add name=”X-Frame-Options” value=”SAMEORIGIN” /> </customHeaders> </httpProtocol> <!– … –> </system.webServer>
OK, this one is old but still relevant. Fact: When an iframe loads a url which is blocked by a X-Frame-Options the loading time is very short. Hack: So if the onload occurs immediately I know it’s probably a X-Frame-Options issue. Disclaimer: This is probably one of the ‘hackiest’ code I’ve written, so don’t expect … Read more