XF 1.5 Embedding other XF sites using Iframe

[DGG]

I tried embedding a sister site (running XF) into a page on my site using Iframe. For some reason it's showing blank. I've also tried embedding other XF sites and they all show blank. However, when I tried embedding my own site into the page using Iframe it worked. Vbulletin sites seem to embed fine, however.

Any reason why XF sites (except my own) aren't embedding properly? Any solutions on how to embed XF sites?

Any help would be most appreciated!

 

[Fred.]

They probably have the X-Frame-Options header set.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

 

[DGG]

Thanks, you are right. X-Frame is set to SAMEORIGIN.

 

[Chris D]

That's the default XF behaviour. It can be overridden by the site admin by adding $config['enableClickjackingProtection'] = false; to config.php.

 

[DGG]

That's the default XF behaviour. It can be overridden by the site admin by adding $config['enableClickjackingProtection'] = false; to config.php.

Thank you.

I don't want to disable all protection so I've set it to allow X-Frame from one domain via .htaccess.

If I prefer to do this via config.php is there a line I can add to allow X-Frame from just one domain?

 

[Chris D]

Untested, but this should work:

header('X-Frame-Options: ALLOW-FROM https://example.com/');

 

[DGG]

Untested, but this should work:

$response = new Zend_Controller_Response_Http();
$response->setHeader('X-Frame-Options', 'ALLOW-FROM https://example.com/');

Thanks, Chris!

Would it be possible to provide for SAMEORIGIN and ALLOW-FROM at the same time? What would be the code for that?

 

[Chris D]

I updated my previous post, the other version is probably more sensible in the config.

Thanks, Chris!

Would it be possible to provide for SAMEORIGIN and ALLOW-FROM at the same time? What would be the code for that?

I don't think so, no, but I think you can set the same header multiple times:

header('X-Frame-Options: ALLOW-FROM https://example.com/');
header('X-Frame-Options: ALLOW-FROM https://example2.com/', false);

The false parameter on the second line won't overwrite the existing header.

Actually, this would probably just work:

header('X-Frame-Options: ALLOW-FROM https://example.com/', false);

Theory being that the X-Frame-Options header is already set (to SAMEORIGIN) so the false will just add another header of the same type without overwriting the original. Hopefully that would be SAMEORIGIN + specific URL.

That's untested though so I'm not certain without testing it!

 

[DGG]

Actually, this would probably just work:

header('X-Frame-Options: ALLOW-FROM https://example.com/', false);

Theory being that the X-Frame-Options header is already set (to SAMEORIGIN) so the false will just add another header of the same type without overwriting the original. Hopefully that would be SAMEORIGIN + specific URL.

That's untested though so I'm not certain without testing it!

Thanks. So I just simply add the following line as-is (with specific URL) to the bottom of config.php?

header('X-Frame-Options: ALLOW-FROM https://example.com/', false);

 

[Chris D]

Yes, should be that simple.

If that doesn't work as I'd hope then you might need this version:

header('X-Frame-Options: ALLOW-FROM https://example.com/');
header('X-Frame-Options: ALLOW-FROM https://example2.com/', false);

(One line would be your URL (equivalent to SAMEORIGIN) one line would be the other URL)