Custom HTTP response header - Enforce same origin frame security

(Rwahyudi) #1

We’d like to include one matrix page in an iframe from an external server.
Unfortunately, being a responsible operator, we enabled the “Enforce same Origin Frame Security For Frontend”

Is there a way to disable this option for just one page or is there a way to send custom header response for specific URL?

(David Schoen) #2

You should be able to override X-Frame-Options in a “Send HTTP Header” Trigger action. You can limit it to one page by using an “Asset ID” or “URL matches” conditions.

(Rwahyudi) #3

Thanks - There is an action to set HTTP headers but not removing existing headers.
Luckily the page is only loaded from a single source so triggers works !

(David Schoen) #4

Just setting the header in the trigger should overwrite the existing Matrix set one, so there’s no need to remove the existing header.

If it was loaded from multiple sources, using “Asset ID” as the condition should be fine, you only need “URL matches” if you want to only allow it on a specific URL.

(Petri Iivonen) #5

Another way to do this is to use remote content page (either as a whole page or as nested content). Saves you trouble in long run. Of course, the source page has to have something that helps you clearly define part of the page you want to embed.