Jump to content

X-Frame-Options SAMEORIGIN

Raymond Geerts

Recommended Posts

Not specificly related to PW, but in a way it does.

I have setup two processwire installs on different sub-domains.


1. Main website - visitors go here


2. Data API provider - RESTful API spitting out (cached) JSON objects


Website 1 loads data trough AJAX / Angular.js from website 2

Since PW by default has the following line in the .htaccess file it will prevent access from cross domains requests that load in an iframe

Header always append X-Frame-Options SAMEORIGIN

One solution i found was to put the following line in my template file (or somekind of init.php file) at website 2, allowing website 1 to access

header('Access-Control-Allow-Origin: http://www.domain.com');

That worked nice, until i installed the Procache module from Ryan. A logic change, since PHP is completely bypassed it does'nt set the headers anymore.

The final solution: I removed the header line from the php file and put it in the .htaccess file just below the SAMEORIGIN line on website 2

Header always append X-Frame-Options SAMEORIGIN
Header set Access-Control-Allow-Origin: "http://www.domain.com"

Could be helpful to anybody, thats why i posted it here :)

Update: found a nice script allowing any sub-domain of the origin host


Edited by Raymond Geerts
  • Like 5
Link to comment
Share on other sites

I'm not sure how to aply to multiple domains or protocols.

Does anybody know how to allow traffic from lets say: http://www.domain.com, and https://www.domain.com at the same time?

I tried several methods but they all failed

These below do not work

Gives a 500 Internal server error

Header set Access-Control-Allow-Origin "http://domain.com", "https://domain.com"

Gives a CORS browser error, blocking the result to be retrieved

Header add Access-Control-Allow-Origin "http://domain.com"
Header add Access-Control-Allow-Origin "https://domain.com"

Gives also a CORS browser error, blocking the result to be retrieved

Header add Access-Control-Allow-Origin "[http|https]://domain.com"
Link to comment
Share on other sites

so, forgive me if this is a completly other thing, but what about a crossdomain.xml file? Is this used for something other?

<?xml version="1.0"?>
  <allow-access-from domain="example.com" />
  <allow-access-from domain="www.example.com" />
  <allow-access-from domain="data.example.com" />
Link to comment
Share on other sites

@horst i'm not familiar with any of this. so i'm not sure what that file crossdomain.xml does or doesnt do. It seems to have similar words in the tags so it might be some kind of solution too.

Anyway regarding multiple domain names and/or protocols, i stumbled up on the following thing on stackoverflow which seems to work fine, so that might be it. have'nt dont further testing, but lets see if it fails i will post here again


Link to comment
Share on other sites

  • 4 years later...

Hi Guys,

I've been trying to figure out how I can get the iframe to show the title of the page it is loading. 
I was thinking in the lines of a jQuery script that adds a title attribute to the iframe of maybe a addition
to the header line in .htaccess? Does anybody have a clue of this would be possible? 🙂

Thanks in advace!

Link to comment
Share on other sites

10 hours ago, bramwolf said:

I've been trying to figure out how I can get the iframe to show the title of the page it is loading.

If the page you are loading in the iframe is on the same domain as your site you can get the title by finding it within jQuery contents() - google it for details.

If the page is not on the same domain then you cannot get the iframe contents (and therefore the title) via Javascript. You could get the page contents via PHP (e.g. PW WireHttp) and use DOMDocument or similar to find the title, but the simplest thing might be to use an external API like http://textance.herokuapp.com/index.html


Would be smart to cache the title for a while with WireCache.

  • Like 4
Link to comment
Share on other sites

Thanks man 🙂

Never knew this was possible. I was going for dynamic loading of the title for each page loaded through the iframe but again I don't think that is possible since the frame and page are on different domains.  So I just decided to give the iframe the same title as the page loaded. Which is already not bad since a Web alias provided by my host just copied the original url to the title. 


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Similar Content

    • By alexhowl
      When I try to load one of the modals in the PW Admin panel, say Insert Link or Crop Image, the modal is blank, and I'm registering a "Load denied by X-Frame-Options" in my console. This option used to work, but I've since ported to a different server and it stopped working.
      I've tried adding this to my .htaccess file, with no results.
      Header set X-Frame-Options "ALLOW-FROM http://[my_server_ip]" I also tried commenting out the 'Header always append" line there as well (which I don't really want to do).
      I'm assuming it might, but could this have anything to do with the fact that my HTTPS is self-signed and not really configuring?
      I'm not at production stage so I'm still futzing around on the server, and moved onto web development and was going to fix my TLS later. Maybe I should fix it now? That's what i'm going to try. Let me know if you have any other ideas.
  • Create New...