Search the Community
Showing results for tags 'X-Frame-Options'.
Found 2 results
-
Not specificly related to PW, but in a way it does. I have setup two processwire installs on different sub-domains. Scenario: 1. Main website - visitors go here http://www.domain.com/ 2. Data API provider - RESTful API spitting out (cached) JSON objects http://data.domain.com/ Website 1 loads data trough AJAX / Angular.js from website 2 Since PW by default has the following line in the .htaccess file it will prevent access from cross domains requests that load in an iframe Header always append X-Frame-Options SAMEORIGIN One solution i found was to put the following line in my template file (or somekind of init.php file) at website 2, allowing website 1 to access header('Access-Control-Allow-Origin: http://www.domain.com'); That worked nice, until i installed the Procache module from Ryan. A logic change, since PHP is completely bypassed it does'nt set the headers anymore. The final solution: I removed the header line from the php file and put it in the .htaccess file just below the SAMEORIGIN line on website 2 Header always append X-Frame-Options SAMEORIGIN Header set Access-Control-Allow-Origin: "http://www.domain.com" Could be helpful to anybody, thats why i posted it here Update: found a nice script allowing any sub-domain of the origin host http://stackoverflow.com/a/19519690
- 7 replies
-
- 5
-
-
- X-Frame-Options
- SAMEORIGIN
- (and 2 more)
-
When I try to load one of the modals in the PW Admin panel, say Insert Link or Crop Image, the modal is blank, and I'm registering a "Load denied by X-Frame-Options" in my console. This option used to work, but I've since ported to a different server and it stopped working. I've tried adding this to my .htaccess file, with no results. Header set X-Frame-Options "ALLOW-FROM http://[my_server_ip]" I also tried commenting out the 'Header always append" line there as well (which I don't really want to do). I'm assuming it might, but could this have anything to do with the fact that my HTTPS is self-signed and not really configuring? I'm not at production stage so I'm still futzing around on the server, and moved onto web development and was going to fix my TLS later. Maybe I should fix it now? That's what i'm going to try. Let me know if you have any other ideas.
