问题
I'm trying to implement an embeddable widget, functioning similar to a Twitter embedded tweet. The simplest solution, though maybe not the best, appears to be an iframe or HTML5 embed - but both are being blocked by the X-Frame-Options header on the server.
I'm running PHP 5.3 and Apache 2.2 on a dedicated server under my full control.
I've tried placing on the first line of the very first line of the iframe PHP file:
header_remove("X-Frame-Options");
I've tried adding the following to .htaccess:
Header unset X-Frame-Options
I've checked httpd.conf, the vhost .conf file, even PHP.INI, and searched for "x-frame" - nothing apparently relevant in either.
No mod_security or other plugins that should be injecting this on this server that I see.
Yet curl verifies the following HTTP header no matter what I do:
X-Frame-Options: DENY
Is there some, maybe oddly named setting somewhere that could still be forcing this header in?
回答1:
X-Frame-Options was forced in by ssl.conf.
Commenting out and restarting Apache allowed .htaccess and PHP header management to work again.
回答2:
I had the same problem, and I solved writing this in httpd.conf
Header append X-Frame-Options ALLOWALL
also I had to configured the header module to be loaded, in order to apache to understand this directive. Then you must restart httpd.
回答3:
Just in case if you want to modify this in .htaccess this will be the way:
Header always unset X-Frame-Options env=HTTPS;
来源:https://stackoverflow.com/questions/33172248/nothing-will-unset-x-frame-options-apache-php-5-3