Enable iframe (disable clickjacking protection) for a single external domain

Andrej

Well-known member
I am helping out a owner of a XenForo forum, and we have a problem figuring out if it is possible to enable iframe only for a single external domain.

I know that you can add $config['enableClickjackingProtection'] = false; to config.php to disable it globally, but we would like to embed the forum in question in a page on a external website (different domain), and dont disable the protection globally. I have read that you can add header('X-Frame-Options: ALLOW-FROM https://example.com/'); to config.php, but it does not seem to work correctly. It does seem to show correctly in response headers of the site that I want to embed:

x-frame-options.png
Note that I changed the URL to https://example.com just to hide the real url in the screenshot

However, it does not embed at the external website. If I disable clickjacking protection using $config['enableClickjackingProtection'] = false; then it embeds fine. How can I troubleshoot this? Eventually, is there any better way to do this since ALLOW-FROM apparently not supported across all browsers?
 

Andrej

Well-known member
I'm not really well-versed into this, but I solved it by adding the following to .htaccess:
Code:
<IfModule mod_headers.c>
SetEnvIf Referer ^.*?example.com iframes_allow
Header set X-Frame-Options SAMEORIGIN env=!iframes_allow
</IfModule>
 

rexxxy

Active member
I'm not really well-versed into this, but I solved it by adding the following to .htaccess:
Code:
<IfModule mod_headers.c>
SetEnvIf Referer ^.*?example.com iframes_allow
Header set X-Frame-Options SAMEORIGIN env=!iframes_allow
</IfModule>
I tried this and it doesnt work for me. Is it still working for you?
 
Top