X-Frame-Options SAMEORIGIN

[Raymond Geerts]

Not specificly related to PW, but in a way it does.

I have setup two processwire installs on different sub-domains.

Scenario:

1. Main website - visitors go here

http://www.domain.com/

2. Data API provider - RESTful API spitting out (cached) JSON objects

http://data.domain.com/

Website 1 loads data trough AJAX / Angular.js from website 2

Since PW by default has the following line in the .htaccess file it will prevent access from cross domains requests that load in an iframe

Header always append X-Frame-Options SAMEORIGIN

One solution i found was to put the following line in my template file (or somekind of init.php file) at website 2, allowing website 1 to access

header('Access-Control-Allow-Origin: http://www.domain.com');

That worked nice, until i installed the Procache module from Ryan. A logic change, since PHP is completely bypassed it does'nt set the headers anymore.

The final solution: I removed the header line from the php file and put it in the .htaccess file just below the SAMEORIGIN line on website 2

Header always append X-Frame-Options SAMEORIGIN
Header set Access-Control-Allow-Origin: "http://www.domain.com"

Could be helpful to anybody, thats why i posted it here

Update: found a nice script allowing any sub-domain of the origin host

http://stackoverflow.com/a/19519690

Edited August 29, 2014 by Raymond Geerts

[Raymond Geerts]

I'm not sure how to aply to multiple domains or protocols.

Does anybody know how to allow traffic from lets say: http://www.domain.com, and https://www.domain.com at the same time?

I tried several methods but they all failed

These below do not work

Gives a 500 Internal server error

Header set Access-Control-Allow-Origin "http://domain.com", "https://domain.com"

Gives a CORS browser error, blocking the result to be retrieved

Header add Access-Control-Allow-Origin "http://domain.com"
Header add Access-Control-Allow-Origin "https://domain.com"

Gives also a CORS browser error, blocking the result to be retrieved

Header add Access-Control-Allow-Origin "[http|https]://domain.com"

[horst]

so, forgive me if this is a completly other thing, but what about a crossdomain.xml file? Is this used for something other?

<?xml version="1.0"?>
<cross-domain-policy>
  <allow-access-from domain="example.com" />
  <allow-access-from domain="www.example.com" />
  <allow-access-from domain="data.example.com" />
</cross-domain-policy>

[Raymond Geerts]

@horst i'm not familiar with any of this. so i'm not sure what that file crossdomain.xml does or doesnt do. It seems to have similar words in the tags so it might be some kind of solution too.

Anyway regarding multiple domain names and/or protocols, i stumbled up on the following thing on stackoverflow which seems to work fine, so that might be it. have'nt dont further testing, but lets see if it fails i will post here again

http://stackoverflow.com/a/23998863

[WillyC]

u.can removal this lines >>>

Header always append X-Frame-Options SAMEORIGIN

[Raymond Geerts]

@WillyC but i want to prevent everybody from loading the data trough an iframe. Only my own script should be able to, atleast for now

[bramwolf]

Hi Guys,

I've been trying to figure out how I can get the iframe to show the title of the page it is loading. 
I was thinking in the lines of a jQuery script that adds a title attribute to the iframe of maybe a addition
to the header line in .htaccess? Does anybody have a clue of this would be possible? ?

Thanks in advace!

[Robin S]

10 hours ago, bramwolf said:

I've been trying to figure out how I can get the iframe to show the title of the page it is loading.

If the page you are loading in the iframe is on the same domain as your site you can get the title by finding it within jQuery contents() - google it for details.

If the page is not on the same domain then you cannot get the iframe contents (and therefore the title) via Javascript. You could get the page contents via PHP (e.g. PW WireHttp) and use DOMDocument or similar to find the title, but the simplest thing might be to use an external API like http://textance.herokuapp.com/index.html

Would be smart to cache the title for a while with WireCache.

[bramwolf]

Thanks man ?

Never knew this was possible. I was going for dynamic loading of the title for each page loaded through the iframe but again I don't think that is possible since the frame and page are on different domains.  So I just decided to give the iframe the same title as the page loaded. Which is already not bad since a Web alias provided by my host just copied the original url to the title.