Cannot Load Concrete Within Iframe
Permalink
I am working on a hand-coded site which makes use of an iframe to load a Concrete5 site. The C5 site is on the same server (in a subdomain). I am getting this error in the console:
I tested the iframe on a different URL, and it works fine, so this is only happening with the C5 install.
I've never encountered this issue before, so I'm not sure what to do here. Ideas?
Refused to display 'http://labcoat.pinecreativelabs.com' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
I tested the iframe on a different URL, and it works fine, so this is only happening with the C5 install.
I've never encountered this issue before, so I'm not sure what to do here. Ideas?
Hi. Thanks for the information. You need a space after the ALLOW-FROM
[Not your fault - it was being deleted when posting the code so I put two spaces in and it worked!]
<?php return [ /* * ------------------------------------------------------------------------ * Security * ------------------------------------------------------------------------ */ 'security' => [ 'misc' => [ /* * Defence Click Jacking. * * @var bool|string DENY, SAMEORIGIN, ALLOW-FROM uri */ // ALLOW-FROM uri
Viewing 15 lines of 20 lines. View entire code block.
[Not your fault - it was being deleted when posting the code so I put two spaces in and it worked!]
Here is some information on X-Frame-Options.
X-Frame-Options:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Op...
X-Frame-Options appear to be set in the FrameOptionsMiddleware:
https://github.com/concrete5/concrete5/blob/bb8f19f45e225bc6e9543c59...
concrete5 X-Frame-Options default config setting (SAMEORIGIN):
https://github.com/concrete5/concrete5/blob/bb8f19f45e225bc6e9543c59...
It looks like you can try overriding that config setting by using ALLOW-FROM:
This code would go in application\config\concrete.php. If you don't have this file, you would create it. If you do have this file, you would add the "security" portion to the existing array elements.