问题
i'm using http://www.jacklmoore.com/colorbox to display the content of an url in a lightbox. after implementation, the colorbox did'nt showed anything.
Later, i noticed the following error in chrome logs:
Refused to display document because display forbidden by X-Frame-Options.
so after documenting i added the following line to the root .htaccess of the website :
Header always append X-Frame-Options SAMEORIGIN
to allow iframe embedding on my own domain.
But i still get the error, i'm newbie to x-frame, and i'm working on an existing application, so i thought the .htaccess solution would be nice, but can it be overrided by some code ? Notice that it's not in the server configuration.
回答1:
Try sending another X-Frame-Options header, add
<?php header('X-Frame-Options: GOFORIT'); ?>
to the top of your page. It should disable the SAMEORIGIN command.
回答2:
According to the moz dev pages. Here is the definition of the
SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself.
It mean that only if you are including some page from your site would be shown.
Let suppose
- you have a website on http://foo.com and you want something to show in iframe from the http://foo.com/sec_page it would show up in iframe
- but if you embed the same iframe(http://foo.com/sec_page) to load in http://bar.com then it would not display anything. As the origin would be changed.
You can read the full note here
回答3:
You can remove the header from the response you get:
header_remove("X-Frame-Options");
回答4:
I've added this in httpd.conf:
Header unset X-Frame-Options
And it works.
回答5:
Set XFrame Options to DENY or Sameorigin. Else it may help in crafting phishing attacks or Frame injections if your site is vulnerable to XSS attack.
来源:https://stackoverflow.com/questions/12182768/x-frame-options-sameorigin-blocking-iframe-on-my-domain