Blocking iframe because it set 'X-Frame-Options' to 'DENY'.

March 25, 2017 10k views
Nginx PHP Ubuntu 16.04

I uploaded a project on the php server in my droplet which has both node and php server block on nginx. But when i opened it in the browser it isnt working because it works with i frames and in the console i see

Refused to display 'myiframe' in a frame because it set 'X-Frame-Options' to 'DENY'.

And also Uncaught SecurityError: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Sandbox access violation: Blocked a frame at "https://www.mydomain.com" from accessing a frame at "null". The frame being accessed is sandboxed and lacks the "allow-same-origin" flag.

What's the most secure way to deal with those headers on nginx and php?

1 Answer

@tamburrinipietro89
Change it from DENY to SAMEORIGIN. That keeps a lot of the security, while it should make your app work.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

  • Thanks a lot but i didnt set it to deny i checked my site enabled file and its not there. Where should i look to find where these headers are set? Im sure they re not set in my php files

    • @tamburrinipietro89
      Can you run the following two commands (expecting your web folder is located somewhere beneath /var/www)

      grep -ri "X-Frame-Options" /etc/nginx
      
      grep -ri "X-Frame-Options" /var/www
      

      Does any of these hint to a file? If yes, then the header is set in that file.
      By default, the X-Frame-Options header is not set, so it must be activated somewhere (maybe even an add-on in your browser to enhance security)

Have another answer? Share your knowledge.