Share

Question

I uploaded a project on the php server in my droplet which has both node and php server block on nginx. But when i opened it in the browser it isnt working because it works with i frames and in the console i see

Refused to display 'myiframe' in a frame because it set 'X-Frame-Options' to 'DENY'.

And also Uncaught SecurityError: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Sandbox access violation: Blocked a frame at "https://www.mydomain.com" from accessing a frame at "null". The frame being accessed is sandboxed and lacks the "allow-same-origin" flag.

What's the most secure way to deal with those headers on nginx and php?

Answer 1

hansen March 25, 2017

@tamburrinipietro89
Change it from DENY to SAMEORIGIN. That keeps a lot of the security, while it should make your app work.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Reply

tamburrinipietro89 March 25, 2017

Thanks a lot but i didnt set it to deny i checked my site enabled file and its not there. Where should i look to find where these headers are set? Im sure they re not set in my php files
- hansen March 25, 2017
  
  @tamburrinipietro89
  Can you run the following two commands (expecting your web folder is located somewhere beneath /var/www)
  
  grep -ri "X-Frame-Options" /etc/nginx grep -ri "X-Frame-Options" /var/www
  
  Does any of these hint to a file? If yes, then the header is set in that file.
  By default, the X-Frame-Options header is not set, so it must be activated somewhere (maybe even an add-on in your browser to enhance security)
  
  nouredin October 31, 2018
  
  Thanks @hansen you almost saved my life :D
  I ran this command:
  
  grep -ri "X-Frame-Options" /etc/apache2
  
  and it turned out that the header was set in this file: /etc/apache2/conf-available/ssl-params.conf
  I just had to comment it.

Answer 2

tamburrinipietro89 March 25, 2017

Thanks a lot but i didnt set it to deny i checked my site enabled file and its not there. Where should i look to find where these headers are set? Im sure they re not set in my php files
- hansen March 25, 2017
  
  @tamburrinipietro89
  Can you run the following two commands (expecting your web folder is located somewhere beneath /var/www)
  
  grep -ri "X-Frame-Options" /etc/nginx grep -ri "X-Frame-Options" /var/www
  
  Does any of these hint to a file? If yes, then the header is set in that file.
  By default, the X-Frame-Options header is not set, so it must be activated somewhere (maybe even an add-on in your browser to enhance security)
  
  nouredin October 31, 2018
  
  Thanks @hansen you almost saved my life :D
  I ran this command:
  
  grep -ri "X-Frame-Options" /etc/apache2
  
  and it turned out that the header was set in this file: /etc/apache2/conf-available/ssl-params.conf
  I just had to comment it.

Answer 3

gopalsharma August 2, 2019

I got this error on my Moodle site after installing the self-signed SSL certificate on my ubuntu 18.04 and 16.04 with apache2 web server installed on it.
First, go to this location on your ubuntu server /etc/apache2/conf-available
and open the file ssl-params.conf , which you must have created for installing an SSL certificate.
Make this Change in the file from DENY to SMAEORIGIN
Header always set X-Frame-Options SAMEORIGIN
This worked for me.

Reply

Blocking iframe because it set 'X-Frame-Options' to 'DENY'.

Leave a Comment

Share

Share your Question

Blocking iframe because it set 'X-Frame-Options' to 'DENY'.

Leave a Comment

Related Questions

Almost there!