Overcoming Display forbidden by X-Frame-Options

Question

I m writing a tiny webpage whose purpose is to frame a few other pages  simply to consolidate them into a single browser window for ease of viewing   A few of the pages I m trying to frame forbid being framed and throw a  Refused to display document because display forbidden by X-Frame-Options   error in Chrome   I understand that this is a security limitation  for good reason   and don t have access to change it   Is there any alternative framing or non-framing method to display pages within a single window that won t get tripped up by the X-Frame-Options header

User · Answer

lt form target  quot  parent quot        gt   Using Kevin Vella s idea  I tried using the above on the form element made by PayPal s button generator  Worked for me so that Paypal does not open in a new browser window tab  Update Here s an example  Generating a button as of today  01-19-2021   PayPal automatically includes target  quot  top quot  on the form element  but if that doesn t work for your context  try a different target value  I suggest  parent -- at least that worked when I was using this PayPal button  See Form Target Values for more info   lt form action  quot https   www paypal com cgi-bin webscr quot  method  quot post quot  target  quot  parent quot  gt     lt input type  quot hidden quot  name  quot cmd quot  value  quot  xclick quot  gt     lt input type  quot hidden quot  name  quot business quot  value  quot name email com quot  gt     lt input type  quot hidden quot  name  quot lc quot  value  quot US quot  gt     lt input type  quot hidden quot  name  quot button subtype quot  value  quot services quot  gt     lt input type  quot hidden quot  name  quot no note quot  value  quot 0 quot  gt     lt input type  quot hidden quot  name  quot currency code quot  value  quot USD quot  gt     lt input type  quot hidden quot  name  quot bn quot  value  quot PP-BuyNowBF btn buynowCC LG gif NonHostedGuest quot  gt     lt input type  quot image quot  src  quot https   www paypalobjects com en US i btn btn buynowCC LG gif quot  border  quot 0 quot  name  quot submit quot  alt  quot PayPal - The safer  easier way to pay online  quot  gt     lt img alt  quot  quot  border  quot 0 quot  src  quot https   www paypalobjects com en US i scr pixel gif quot  width  quot 1 quot  height  quot 1 quot  gt   lt  form gt

User · Answer

I tried nearly all suggestions  However  the only thing that really solved the issue was    Create an  htaccess in the same folder where your PHP file lies  Add this line to the htaccess   Header always unset X-Frame-Options   Embedding the PHP by an iframe from another domain should work afterwards   Additionally you could add in the beginning of your PHP file   header  X-Frame-Options  ALLOW      Which was  however  not necessary in my case

User · Answer

If you are getting this error while trying to embed a Google Map in an iframe  you need to add  amp output embed to the source link

User · Answer

If you re getting this error trying to embed Vimeo content  change the src of the iframe  from  https   vimeo com 63534746 to  http   player vimeo com video 63534746

User · Answer

UPDATE 2019  You can bypass X-Frame-Options in an  lt iframe gt  using just client-side JavaScript and my X-Frame-Bypass Web Component  Here is a demo  Hacker News in an X-Frame-Bypass   Tested in Chrome  amp  Firefox

User · Answer

Solution for loading an external website into an iFrame even tough the x-frame option is set to deny on the external website   If you want to load a other website into an iFrame and you get the Display forbidden by X-Frame-Options    error then you can actually overcome this by creating a server side proxy script    The src attribute of the iFrame could have an url looking like this   proxy php url https   www example com page amp key somekey  Then proxy php would look something like   if  isValidRequest         echo file get contents   GET  url        function isValidRequest         return   SERVER  REQUEST METHOD        GET   amp  amp  isset   GET  key     amp  amp         GET  key        somekey       This by passes the block  because it is just a GET request that might as wel have been a ordinary browser page visit   Be aware  You might want to improve the security in this script  Because hackers could start loading in webpages via your proxy script

User · Answer

I came across this issue when running a wordpress web site  I tried all sorts of things to fix it and wasn t sure how  ultimately the issue was because I was using DNS forwarding with masking  and the links to external sites were not being addressed properly  i e  my site was hosted at http   123 456 789 index html but was masked to run at http   somewebSite com index html  When i entered http   123 456 789 index html in the browser clicking on those same links resulted in no X-frame-origins issues in the JS console  but running http   somewebSite com index html did  In order to properly mask you must add your host s DNS name servers to your domain service  i e  godaddy com should have name servers of example  ns1 digitalocean com  ns2 digitalocean com  ns3 digitalocean com  if you were using digitalocean com as your hosting service

User · Answer

There is a plugin for Chrome  that drops that header entry  for personal use only    https   chrome google com webstore detail ignore-x-frame-headers gleekbfjekiniecknbkamfmkohkpodhe reviews

User · Answer

It appears that X-Frame-Options Allow-From https       is depreciated and was replaced  and gets ignored  if you use Content-Security-Policy header instead   Here is the full reference  https   content-security-policy com

User · Answer

FWIW   We had a situation where we needed to kill our iFrame when this  breaker  code showed up  So  I used the PHP function get headers  url   to check out the remote URL before showing it in an iFrame  For better performance  I cached the results to a file so I was not making a HTTP connection each time

User · Answer

This is the solution guys    FB Event subscribe  edge create   function response        window top location href    url         The only thing that worked for facebook apps

User · Answer

It s surprising that no one here has ever mentioned Apache server s settings    conf files  or  htaccess file itself as being a cause of this error  Search through your  htaccess or Apache configuration files  making sure that you don t have the following set to DENY   Header always set X-Frame-Options DENY  Changing it to SAMEORIGIN  makes things work as expected    Header always set X-Frame-Options SAMEORIGIN

User · Answer

I had same issue when I tried embed moodle 2 in iframe  solution is Site administration   Security   HTTP security and check Allow frame embedding

User · Answer

Not mentioned but can help in some instances   var xhr   new XMLHttpRequest    xhr onreadystatechange   function         if  xhr readyState     4  return      if  xhr status     200            var doc   iframe contentWindow document          doc open            doc write xhr responseText           doc close            xhr open  GET   url  true   xhr send null

User · Answer

The only question that has a bunch of answers  WElcome to the guide i wish i had when i was scrambling for this to make it work at 10 30 at night on the deadline day    FB does some weird things with canvas apps  and well  you ve been warned   If youa re still here and you have a Rails app that will appear behind a Facebook Canvas  then you will need   Gemfile   gem  rack-facebook-signed-request    git   gt   git   github com cmer rack-facebook-signed-request git    config facebook yml  facebook    key   123123123123    secret   123123123123123123secret12312    config application rb  config middleware use Rack  Facebook  SignedRequest  app id   123123123123   secret   123123123123123123secret12312   inject facebook  false   config initializers omniauth rb  OmniAuth config logger   Rails logger SERVICES   YAML load File open      Rails root  config oauth yml   read  Rails application config middleware use OmniAuth  Builder do   provider  facebook  SERVICES  facebook    key    SERVICES  facebook    secret    iframe    true end   application controller rb  before filter  add xframe def add xframe   headers  X-Frame-Options      GOFORIT  end   You need a controller to call from Facebook s canvas settings  i used  canvas  and made the route go the main SiteController for this app    class SiteController  lt  ApplicationController   def index      user   User new   end   def canvas     redirect to   auth failure  if request params  error       access denied      url   params  code       auth facebook signed request   params  signed request    state canvas      login      redirect to url   end   def login   end end   login html erb     lt  content for  javascript do      var oauth url    https   www facebook com dialog oauth      oauth url      client id 471466299609256     oauth url      redirect uri     encodeURIComponent  https   apps facebook com wellbeingtracker       oauth url      scope email status update publish stream   console log oauth url     top location href   oauth url   lt  end      Sources   The config i think came from omniauth s example   The gem file  which is key     came from  slideshare things i learned     This stack question had the whole Xframe angle  so you ll get a blank space  if you don t put this header in the app controller  And my man  rafmagana wrote this heroku guide  which now you can adopt for rails with this answer and the shoulders of giants in which you walk with

User · Answer

Edit  htaccess if you want to remove X-Frame-Options from an entire directory   And add the line  Header always unset X-Frame-Options   contents from  Overcoming  quot Display forbidden by X-Frame-Options quot

User · Answer

I m not sure how relevant it is  but I built a work-around to this  On my site  I wanted to display link in a modal window that contained an iframe which loads the URL    What I did is  I linked the click event of the link to this javascript function  All this does is make a request to a PHP file that checks the URL headers for X-FRAME-Options before deciding whether to load the URL within the modal window or to redirect   Here s the function     function opentheater link  title             get   url origin helper php url   encodeURIComponent link   function  data       if data     ya              modal-title   html   lt h3 style  color 480060   gt   title   amp nbsp  amp nbsp  amp nbsp  lt small gt   link   lt  small gt  lt  h3 gt                 linkcontent   attr  src   link               myModal   modal  show          else        window location href   link          alert data                         Here s the PHP file code that checks for it    lt  php  url   rawurldecode   REQUEST  url      header   get headers  url  1   if array key exists  X-Frame-Options    header        echo  nein     else      echo  ya         gt    Hope this helps

User · Answer

i had this problem  and resolved it editing httd conf   lt IfModule headers module gt       lt IfVersion  gt   2 4 7  gt          Header always setifempty X-Frame-Options GOFORIT      lt  IfVersion gt       lt IfVersion  lt  2 4 7  gt          Header always merge X-Frame-Options GOFORIT      lt  IfVersion gt   lt  IfModule gt    i changed SAMEORIGIN to GOFORIT and restarted   server

User · Answer

Adding a     target   top    to my link in the facebook tab fixed the issue for me

User · Answer

I was using Tomcat 8 0 30  none of the suggestions worked for me  As we are looking to update the X-Frame-Options and set it to ALLOW  here is how I configured to allow embed iframes     Navigate to Tomcat conf directory  edit the web xml file  Add the below filter      lt filter gt               lt filter-name gt httpHeaderSecurity lt  filter-name gt               lt filter-class gt org apache catalina filters HttpHeaderSecurityFilter lt  filter-class gt                      lt init-param gt                              lt param-name gt hstsEnabled lt  param-name gt                              lt param-value gt true lt  param-value gt                      lt  init-param gt                      lt init-param gt                              lt param-name gt antiClickJackingEnabled lt  param-name gt                              lt param-value gt true lt  param-value gt                      lt  init-param gt                      lt init-param gt                              lt param-name gt antiClickJackingOption lt  param-name gt                              lt param-value gt ALLOW-FROM lt  param-value gt                      lt  init-param gt               lt async-supported gt true lt  async-supported gt          lt  filter gt           lt filter-mapping gt                      lt filter-name gt httpHeaderSecurity lt  filter-name gt                      lt url-pattern gt    lt  url-pattern gt                      lt dispatcher gt REQUEST lt  dispatcher gt          lt  filter-mapping gt        Restart Tomcat service   Access the resources using an iFrame

User · Answer

Use this line given below instead of header   function    echo   lt script gt window top location    https   apps facebook com yourappnamespace    lt  script gt

User · Answer

Try this thing  i dont think anyone suggested this in the Topic  this will resolve like 70  of your issue  for some other pages  you have to scrap  i have the full solution but not for public   ADD below to your iframe  sandbox  allow-same-origin allow-scripts allow-popups allow-forms

User · Answer

I had the same problem with mediawiki  this was because the server denied embedding the page into an iframe for security reasons   I solved it writing    wgEditPageFrameOptions    SAMEORIGIN      into the mediawiki php config file   Hope it helps

User · Answer

The only real answer  if you don t control the headers on your source you want in your iframe  is to proxy it  Have a server act as a client  receive the source  strip the problematic headers  add CORS if needed  and then ping your own server   There is one other answer explaining how to write such a proxy  It isn t difficult  but I was sure someone had to have done this before  It was just difficult to find it  for some reason   I finally did find some sources   https   github com Rob--W cors-anywhere  documentation    preferred  If you need rare usage  I think you can just use his heroku app  Otherwise  it s code to run it yourself on your own server  Note sure what the limits are   whateverorigin org     second choice  but quite old  supposedly newer choice in python  https   github com Eiledon alloworigin  then there s the third choice   http   anyorigin com   Which seems to allow a little free usage  but will put you on a public shame list if you don t pay and use some unspecified amount  which you can only be removed from if you pay the fee

User · Answer

I had a similar issue  where I was trying to display content from our own site in an iframe  as a lightbox-style dialog with Colorbox   and where we had an server-wide  X-Frame-Options   SAMEORIGIN  header on the source server preventing it from loading on our test server   This doesn t seem to be documented anywhere  but if you can edit the pages you re trying to iframe  eg   they re your own pages   simply sending another X-Frame-Options header with any string at all disables the SAMEORIGIN or DENY commands   eg  for PHP  putting    lt  php     header  X-Frame-Options  GOFORIT       gt    at the top of your page will make browsers combine the two  which results in a header of  X-Frame-Options SAMEORIGIN  GOFORIT      and allows you to load the page in an iframe  This seems to work when the initial SAMEORIGIN command was set at a server level  and you d like to override it on a page-by-page case   All the best

User · Answer

If you are getting this error for a YouTube video  rather than using the full url use the embed url from the share options  It will look like http   www youtube com embed eCfDxZxTBW4  You may also replace watch v  with embed  so http   www youtube com watch v eCfDxZxTBW4 becomes http   www youtube com embed eCfDxZxTBW4

[iframe] Overcoming "Display forbidden by X-Frame-Options"

Examples related to iframe

Examples related to frames

Examples related to x-frame-options