XF 1.5 Cant include iFrame from same origin

ToKKaN

Member
Hello I want to include an iframe and the iframe is on the same server as xenforo. So as far as I understood it this should be no problem because the src ist on the same server. But the iframe is just blank. Did I miss any setting or something?

Code:
<iframe src="/569trbfd78g9tn5oi4uneodufghz/status.php" scrolling="no" marginwidth="0" marginheight="0" frameborder="0" vspace="0" hspace="0" style="border:0; width: 100%; height: 80px;overflow:hidden; position: relative"></iframe>

bc9a14dfe7944a70bcab75fede82b8ef.png


I hope someone can help me.
 
Hi @ToKKaN ,

There is clickjacking iFrame protection turned on by default, you need to disable it in library/config.php:

Code:
$config['enableClickjackingProtection'] - default: true

See:
https://xenforo.com/help/config-php-options/

Thanks for the answer. I did this already but it did not work. the forum is on %domain%/forum and the iframe on %domain%/569trbfd78g9tn5oi4uneodufghz

Does this have to do with it maybe?

Edit: Even if I place it in the forum directory it does not work.
 
Last edited:
Sorry I misread - the option only takes effect when you try to embed XenForo into another page using an iFrame.

Sounds like you're trying to embed another iFrame into XF directly?

Probably a server config issue then? You might need to check with your server admin.
 
Sorry I misread - the option only takes effect when you try to embed XenForo into another page using an iFrame.

Sounds like you're trying to embed another iFrame into XF directly?

Probably a server config issue then? You might need to check with your server admin.

I have full access to the server. The thing is I had this working for like 8 months now. today I switched the top level domain of the website and now this does not work.

I also tried to add the SAMEORIGIN header to nginx without success
 
Can you check your HTTP response headers in your browser (e.g. Chrome network tab) when browsing normal XF threads? I checked both here and on my board, and default for this is: x-frame-options: SAMEORIGIN

It sounds like your header has been explicitly set to Deny ?
 
Can you check your HTTP response headers in your browser (e.g. Chrome network tab) when browsing normal XF threads? I checked both here and on my board, and default for this is: x-frame-options: SAMEORIGIN

It sounds like your header has been explicitly set to Deny ?

Im not sure where I can see the response headers you need to know but could it be that cloudflare sends this header?
 
In Chrome open up the Developer Tools with F12, then go to Network Tab.

Refresh the page. Then scroll up and find the page, using this XF thread as an example:

network-tools.webp
network-tools2.webp

Would be curious to see what that header comes up with on your page..
 
Yeah that's definitely not right.. the fact that you mentioned it was working fine earlier would mean something must have changed in your server config?

I'm not familiar with nginx sorry, probably best to ask here as this is not really a XF issue - I think it would be affecting other scripts too on your server:
https://xenforo.com/community/forums/server-configuration-and-hosting.48/

Thank you very much for your responses! After you mentioned that something must have changed at my nginx configuration and I remembered that I added a config for 2048bit ssl encryption and that config forced the header DENY. after changing this it works now fine.
Thank you very much again.
 
Top Bottom