• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.5 Cant include iFrame from same origin

#1
Hello I want to include an iframe and the iframe is on the same server as xenforo. So as far as I understood it this should be no problem because the src ist on the same server. But the iframe is just blank. Did I miss any setting or something?

Code:
<iframe src="/569trbfd78g9tn5oi4uneodufghz/status.php" scrolling="no" marginwidth="0" marginheight="0" frameborder="0" vspace="0" hspace="0" style="border:0; width: 100%; height: 80px;overflow:hidden; position: relative"></iframe>


I hope someone can help me.
 
#2
Hi @ToKKaN ,

There is clickjacking iFrame protection turned on by default, you need to disable it in library/config.php:

Code:
$config['enableClickjackingProtection'] - default: true
See:
https://xenforo.com/help/config-php-options/
Thanks for the answer. I did this already but it did not work. the forum is on %domain%/forum and the iframe on %domain%/569trbfd78g9tn5oi4uneodufghz

Does this have to do with it maybe?

Edit: Even if I place it in the forum directory it does not work.
 
Last edited:

Optic

Well-known member
#3
Sorry I misread - the option only takes effect when you try to embed XenForo into another page using an iFrame.

Sounds like you're trying to embed another iFrame into XF directly?

Probably a server config issue then? You might need to check with your server admin.
 
#4
Sorry I misread - the option only takes effect when you try to embed XenForo into another page using an iFrame.

Sounds like you're trying to embed another iFrame into XF directly?

Probably a server config issue then? You might need to check with your server admin.
I have full access to the server. The thing is I had this working for like 8 months now. today I switched the top level domain of the website and now this does not work.

I also tried to add the SAMEORIGIN header to nginx without success
 

Optic

Well-known member
#5
Can you check your HTTP response headers in your browser (e.g. Chrome network tab) when browsing normal XF threads? I checked both here and on my board, and default for this is: x-frame-options: SAMEORIGIN

It sounds like your header has been explicitly set to Deny ?
 
#6
Can you check your HTTP response headers in your browser (e.g. Chrome network tab) when browsing normal XF threads? I checked both here and on my board, and default for this is: x-frame-options: SAMEORIGIN

It sounds like your header has been explicitly set to Deny ?
Im not sure where I can see the response headers you need to know but could it be that cloudflare sends this header?
 

Optic

Well-known member
#7
In Chrome open up the Developer Tools with F12, then go to Network Tab.

Refresh the page. Then scroll up and find the page, using this XF thread as an example:

network-tools.png
network-tools2.png

Would be curious to see what that header comes up with on your page..
 
#10
Yeah that's definitely not right.. the fact that you mentioned it was working fine earlier would mean something must have changed in your server config?

I'm not familiar with nginx sorry, probably best to ask here as this is not really a XF issue - I think it would be affecting other scripts too on your server:
https://xenforo.com/community/forums/server-configuration-and-hosting.48/
Thank you very much for your responses! After you mentioned that something must have changed at my nginx configuration and I remembered that I added a config for 2048bit ssl encryption and that config forced the header DENY. after changing this it works now fine.
Thank you very much again.