Andrej
Well-known member
I am helping out a owner of a XenForo forum, and we have a problem figuring out if it is possible to enable iframe only for a single external domain.
I know that you can add
Note that I changed the URL to
However, it does not embed at the external website. If I disable clickjacking protection using
I know that you can add
$config['enableClickjackingProtection'] = false;
to config.php to disable it globally, but we would like to embed the forum in question in a page on a external website (different domain), and dont disable the protection globally. I have read that you can add header('X-Frame-Options: ALLOW-FROM https://example.com/');
to config.php, but it does not seem to work correctly. It does seem to show correctly in response headers of the site that I want to embed:Note that I changed the URL to
https://example.com
just to hide the real url in the screenshotHowever, it does not embed at the external website. If I disable clickjacking protection using
$config['enableClickjackingProtection'] = false;
then it embeds fine. How can I troubleshoot this? Eventually, is there any better way to do this since ALLOW-FROM apparently not supported across all browsers?