x-frame-options

I am using Sinatra to return some IFRAME contents, and I'd like to allow cross-domain src. Unfortunately, Sinatra is automatically adding an X-Frame-Options header to my response. How do I turn that off? Sinatra uses Rack::Protection , in particular the frame_options option, which is what is setting the X-Frame-Options header. You can configure which protections are used . Sinatra turns most of them on by default, (some are only enabled if you also are using sessions, and Rack::Protection itself doesn't enable some by default). To prevent sending the X-Frame-Options header you need to disable

I'm going to create a website which — in addition to its own content — would have links (in iframes) to the world biggest newspaper websites like New York Times, Financial Times and some other. But I've faced with a problem of framing permission. For example, NY Times shows me an error Load denied by X-Frame-Options: http://www.nytimes.com/ does not permit framing . I have read many forums and didn't found a workable solution. Tried to add Header always append X-Frame-Options SAMEORIGIN into .haccess file but it didn't help. Is there any way to solve this problem? Some websites have a server

I'm implementing a "pass-through" for X-Frame-Options to let a partner site wrap my employer's site in an iframe, as per this article: http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx (splitting up URLS to post) In a nutshell, our partner's page has an iframe with an URL against our domain. For any page in our domain, they'll add a special url argument like &@mykey=topleveldomain.com , telling us what the page's top level domain is. Our filters pick up the partner TLD, if provided, from the URL, and validate it against a whitelist. If it's

Rails 4 appears to set a default value of SAMEORIGIN for the X-Frame-Options HTTP response header. This is great for security, but it does not allow for parts of your app to be available in an iframe on a different domain. You can override the value of X-Frame-Options globally using the config.action_dispatch.default_headers setting: config.action_dispatch.default_headers['X-Frame-Options'] = "ALLOW-FROM https://apps.facebook.com" But how do you override it for just a single controller or action? If you want to remove the header completely, you can create an after_action filter: class

I am continuously getting the error "Error: Permission denied to access property 'document'" while i have already define in my X-FRAME options to allow the other domain, like this.. <?php header('X-Frame-Options: ALLOW-FROM http://mydomain.com'); ?> Below is the header of iframe request, clearly shows i have defined to allow the domain to access the iframe but not working. All i want is to resize the iframe using javascript. Here is my javascript code to resize the iframe height. <iframe src="http://mydomain.com/xxx/yyy" id="idIframe" onload="iframeLoaded();" allowtransparency="true"

I have CKeditor on my jsp and whenever I upload something, the following error pops out: Refused to display 'http://localhost:8080/xxx/xxx/upload-image?CKEditor=text&CKEditorFuncNum=1&langCode=ru' in a frame because it set 'X-Frame-Options' to 'DENY'. I have tried removing Spring Security and everything works like a charm. How can I disable this in spring security xml file? What should I write between <http> tags vtor By default X-Frame-Options is set to denied, to prevent clickjacking attacks. To override this, you can add the following into your spring security config <http> <headers> <frame