ExpressionEngine® Answers Asked on October 3, 2021
I need to be able to display content from one EE site on another using an iFrame. By default X-Frame-Options for EE is set to “SAMEORIGIN”. I know this is set in Core, so I don’t want to do the override it there. I have tried doing the following in the config.php file:
$config['x_frame_options'] = 'ALLOW-FROM https://mysite.com/xyz'
If this is the correct way to do it, it is not working properly. Any insights?
EE has set default x_frame_options
as SAMEORIGIN
. You can change that from config but they don't allow you to set anything outside of there radar. You have limited options that is: 'DENY', 'SAMEORIGIN', 'NONE'
. See there core code in /system/ee/legacy/libraries/Core.php
* Set iFrame Headers
*
* A security precaution to prevent iFraming of the site to protect
* against clickjacking. By default we use SAMEORIGIN so that iframe
* designs are still possible.
*
* @return void
*/
private function setFrameHeaders()
{
$frame_options = ee()->config->item('x_frame_options');
$frame_options = strtoupper($frame_options);
// if not specified or invalid value, default to SAMEORIGIN
if ( ! in_array($frame_options, array('DENY', 'SAMEORIGIN', 'NONE')))
{
$frame_options = 'SAMEORIGIN';
}
if ($frame_options != 'NONE')
{
ee()->output->set_header('X-Frame-Options: '.$frame_options);
}
}
Unfortunately, It is set by EE core, You cannot override it be htaccess. That means you have config set for 3 variables only.
$config['x_frame_options'] = "DENY";
$config['x_frame_options'] = "SAMEORIGIN"; // default
$config['x_frame_options'] = "NONE"; // Your choice to get things working
I belive that set x_frame_options
as none
will make security glitch and not recommend it but its the only possible way with core. To get a proper solution, I will suggest to create a small plugin. If you don't know how to create a plugin, Just follow the steps:
Go to /system/user/addons/
and create a folder named set_header
Go to set_header
folder and create 2 files. addon.setup.php
and pi.set_header.php
Copy this code to addon.setup.php
<?php
return array(
'author' => 'Amici Infotech',
'author_url' => 'https://amiciinfotech.com',
'description' => 'Set page Headers',
'docs_url' => '#',
'name' => 'Set page Headers',
'settings_exist' => false,
'version' => '1.0.0',
'namespace' => 'AmiciInfotechAddonsSet_header',
);
pi.set_header.php
<?php
$plugin_info = array(
'pi_name' => 'Set page Headers',
'pi_version' => '1.0.0',
'pi_author' => 'Amici Infotech',
'pi_description' => 'Set page Headers',
'pi_usage' => set_header::usage()
);
class Set_header
{
function __construct()
{
/* Load EE Instance */
}
function xframe_options()
{
$domain = ee()->TMPL->fetch_param('domain');
ee()->output->set_header("X-Frame-Options: allow-from " . $domain);
}
public static function usage()
{
ob_start();
?>Set PHP Headers<?php
$buffer = ob_get_contents();
ob_end_clean();
return $buffer;
}
}
Install Plugin Set Header from backend.
Write this code in any template file to allow xframe to that page.
{exp:set_header:xframe_options domain="mysite.com/xyz"}
Answered by Mufi - Amici Infotech on October 3, 2021
I think that's best done in your .htaccess file
Answered by Jelle Dijkstra on October 3, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP