Share

Question

I uploaded a project on the php server in my droplet which has both node and php server block on nginx. But when i opened it in the browser it isnt working because it works with i frames and in the console i see

Refused to display 'myiframe' in a frame because it set 'X-Frame-Options' to 'DENY'.

And also Uncaught SecurityError: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Sandbox access violation: Blocked a frame at "https://www.mydomain.com" from accessing a frame at "null". The frame being accessed is sandboxed and lacks the "allow-same-origin" flag.

What's the most secure way to deal with those headers on nginx and php?

Answer 1

hansen March 25, 2017

@tamburrinipietro89
Change it from DENY to SAMEORIGIN. That keeps a lot of the security, while it should make your app work.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Reply

tamburrinipietro89 March 25, 2017

Thanks a lot but i didnt set it to deny i checked my site enabled file and its not there. Where should i look to find where these headers are set? Im sure they re not set in my php files
- hansen March 25, 2017
  
  @tamburrinipietro89
  Can you run the following two commands (expecting your web folder is located somewhere beneath /var/www)
  
  grep -ri "X-Frame-Options" /etc/nginx grep -ri "X-Frame-Options" /var/www
  
  Does any of these hint to a file? If yes, then the header is set in that file.
  By default, the X-Frame-Options header is not set, so it must be activated somewhere (maybe even an add-on in your browser to enhance security)
  
  nouredin October 31, 2018
  
  Thanks @hansen you almost saved my life :D
  I ran this command:
  
  grep -ri "X-Frame-Options" /etc/apache2
  
  and it turned out that the header was set in this file: /etc/apache2/conf-available/ssl-params.conf
  I just had to comment it.

Answer 2

tamburrinipietro89 March 25, 2017

Thanks a lot but i didnt set it to deny i checked my site enabled file and its not there. Where should i look to find where these headers are set? Im sure they re not set in my php files
- hansen March 25, 2017
  
  @tamburrinipietro89
  Can you run the following two commands (expecting your web folder is located somewhere beneath /var/www)
  
  grep -ri "X-Frame-Options" /etc/nginx grep -ri "X-Frame-Options" /var/www
  
  Does any of these hint to a file? If yes, then the header is set in that file.
  By default, the X-Frame-Options header is not set, so it must be activated somewhere (maybe even an add-on in your browser to enhance security)
  
  nouredin October 31, 2018
  
  Thanks @hansen you almost saved my life :D
  I ran this command:
  
  grep -ri "X-Frame-Options" /etc/apache2
  
  and it turned out that the header was set in this file: /etc/apache2/conf-available/ssl-params.conf
  I just had to comment it.

Blocking iframe because it set 'X-Frame-Options' to 'DENY'.

Leave a Comment

Share

Share your Question

Blocking iframe because it set 'X-Frame-Options' to 'DENY'.

Leave a Comment

Related Questions

Almost there!

Report a Bug