XF 1.5 Embedding other XF sites using Iframe

D

DGG

Member
I tried embedding a sister site (running XF) into a page on my site using Iframe. For some reason it's showing blank. I've also tried embedding other XF sites and they all show blank. However, when I tried embedding my own site into the page using Iframe it worked. Vbulletin sites seem to embed fine, however.

Any reason why XF sites (except my own) aren't embedding properly? Any solutions on how to embed XF sites?

Any help would be most appreciated!
 
Sort by date Sort by votes
That's the default XF behaviour. It can be overridden by the site admin by adding $config['enableClickjackingProtection'] = false; to config.php.
 
Upvote 0 Downvote
Chris D said:
That's the default XF behaviour. It can be overridden by the site admin by adding $config['enableClickjackingProtection'] = false; to config.php.
Click to expand...
Thank you.

I don't want to disable all protection so I've set it to allow X-Frame from one domain via .htaccess.

If I prefer to do this via config.php is there a line I can add to allow X-Frame from just one domain?
 
Upvote 0 Downvote
Chris D said:
Untested, but this should work:
PHP: 
$response = new Zend_Controller_Response_Http();
$response->setHeader('X-Frame-Options', 'ALLOW-FROM https://example.com/');
Click to expand...

Thanks, Chris!

Would it be possible to provide for SAMEORIGIN and ALLOW-FROM at the same time? What would be the code for that?
 
Upvote 0 Downvote
I updated my previous post, the other version is probably more sensible in the config.

DGG said:
Thanks, Chris!

Would it be possible to provide for SAMEORIGIN and ALLOW-FROM at the same time? What would be the code for that?
Click to expand...

I don't think so, no, but I think you can set the same header multiple times:
PHP: 
header('X-Frame-Options: ALLOW-FROM https://example.com/');
header('X-Frame-Options: ALLOW-FROM https://example2.com/', false);
The false parameter on the second line won't overwrite the existing header.

Actually, this would probably just work:
PHP: 
header('X-Frame-Options: ALLOW-FROM https://example.com/', false);
Theory being that the X-Frame-Options header is already set (to SAMEORIGIN) so the false will just add another header of the same type without overwriting the original. Hopefully that would be SAMEORIGIN + specific URL.

That's untested though so I'm not certain without testing it!
 
Upvote 0 Downvote
Chris D said:
Actually, this would probably just work:
PHP: 
header('X-Frame-Options: ALLOW-FROM https://example.com/', false);
Theory being that the X-Frame-Options header is already set (to SAMEORIGIN) so the false will just add another header of the same type without overwriting the original. Hopefully that would be SAMEORIGIN + specific URL.

That's untested though so I'm not certain without testing it!
Click to expand...


Thanks. So I just simply add the following line as-is (with specific URL) to the bottom of config.php?

header('X-Frame-Options: ALLOW-FROM https://example.com/', false);
 
Upvote 0 Downvote
Yes, should be that simple.

If that doesn't work as I'd hope then you might need this version:
Chris D said:
PHP: 
header('X-Frame-Options: ALLOW-FROM https://example.com/');
header('X-Frame-Options: ALLOW-FROM https://example2.com/', false);
Click to expand...
(One line would be your URL (equivalent to SAMEORIGIN) one line would be the other URL)
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

ibaker
  • Question Question
XF 2.1 URGENT Help, all my life XF sites go to blank pages
Replies
13
Views
1K
Arty
Arty
CTXMedia
  • Question Question
Anyone using aMember Pro software to manage single userbase for multiple XF sites?
Replies
9
Views
1K
craigiri
craigiri
Ryan Kent
  • Question Question
Updating XF sites - licensing question
Replies
2
Views
903
Ryan Kent
Ryan Kent
Ati
  • Question Question
youtube iframe embedding
Replies
2
Views
1K
Mike
Mike
Back
Top Bottom