I'm trying to implement an embeddable widget, functioning similar to a Twitter embedded tweet. The simplest solution, though maybe not the best, appears to be an iframe or HTML5 embed - but both are being blocked by the X-Frame-Options header on the server.
I'm running PHP 5.3 and Apache 2.2 on a dedicated server under my full control.
I've tried placing on the first line of the very first line of the iframe PHP file:
header_remove("X-Frame-Options");
I've tried adding the following to .htaccess:
Header unset X-Frame-Options
I've checked httpd.conf, the vhost .conf file, even PHP.INI, and searched for "x-frame" - nothing apparently relevant in either.
No mod_security or other plugins that should be injecting this on this server that I see.
Yet curl verifies the following HTTP header no matter what I do:
X-Frame-Options: DENY
Is there some, maybe oddly named setting somewhere that could still be forcing this header in?
X-Frame-Options was forced in by ssl.conf.
Commenting out and restarting Apache allowed .htaccess and PHP header management to work again.
I had the same problem, and I solved writing this in httpd.conf
Header append X-Frame-Options ALLOWALL
also I had to configured the header module to be loaded, in order to apache to understand this directive. Then you must restart httpd.
Just in case if you want to modify this in .htaccess this will be the way:
Header always unset X-Frame-Options env=HTTPS;
来源:https://stackoverflow.com/questions/33172248/nothing-will-unset-x-frame-options-apache-php-5-3