Custom HTTP response header - Enforce same origin frame security


(Rwahyudi) #1

We’d like to include one matrix page in an iframe from an external server.
Unfortunately, being a responsible operator, we enabled the “Enforce same Origin Frame Security For Frontend”

Is there a way to disable this option for just one page or is there a way to send custom header response for specific URL?


(David Schoen) #2

You should be able to override X-Frame-Options in a “Send HTTP Header” Trigger action. You can limit it to one page by using an “Asset ID” or “URL matches” conditions.


(Rwahyudi) #3

Thanks - There is an action to set HTTP headers but not removing existing headers.
Luckily the page is only loaded from a single source so triggers works !


(David Schoen) #4

Just setting the header in the trigger should overwrite the existing Matrix set one, so there’s no need to remove the existing header.

If it was loaded from multiple sources, using “Asset ID” as the condition should be fine, you only need “URL matches” if you want to only allow it on a specific URL.


#5

Another way to do this is to use remote content page (either as a whole page or as nested content). Saves you trouble in long run. Of course, the source page has to have something that helps you clearly define part of the page you want to embed.


(Steven) #6

Hi,
I think this is the solution I’m looking for as our Facebook feeds have stopped displaying on our site due to Refused to display 'https://www.facebook.com/' in a frame because it set 'X-Frame-Options' to 'deny'.

I’ve set up a trigger to look for my test pages and add a new HTTP header as instructed above. It doesn’t seem to have made any difference though.

The page I’m testing is: https://fife-web-dev.squiz.cloud/sandbox/sg-test/sg-second-test-page

I’ve attached a couple of screenshots for reference.

It would be amazing if anyone could point out what I’ve done wrong. I’m scratching my head with this one.

Thanks
Steven


(Steven) #7

I’ve updated the trigger to go on “Asset accessed”.
I’ve also changed from X-Frame-Options to Content-Security-Policyas I couldn’t get anything to work with ‘X-Frame-Options’. Still struggling to get this to work though, although now I do see my changes in the browser developer tools.