TransWikia.com

How do I set X-Frame-Options in config.php

ExpressionEngine® Answers Asked on October 3, 2021

I need to be able to display content from one EE site on another using an iFrame. By default X-Frame-Options for EE is set to “SAMEORIGIN”. I know this is set in Core, so I don’t want to do the override it there. I have tried doing the following in the config.php file:

$config['x_frame_options'] = 'ALLOW-FROM https://mysite.com/xyz'

If this is the correct way to do it, it is not working properly. Any insights?

configconfig overrides

2 Answers

EE has set default x_frame_options as SAMEORIGIN. You can change that from config but they don't allow you to set anything outside of there radar. You have limited options that is: 'DENY', 'SAMEORIGIN', 'NONE'. See there core code in /system/ee/legacy/libraries/Core.php

 * Set iFrame Headers
 *
 * A security precaution to prevent iFraming of the site to protect
 * against clickjacking. By default we use SAMEORIGIN so that iframe
 * designs are still possible.
 *
 * @return      void
 */
private function setFrameHeaders()
{
        $frame_options = ee()->config->item('x_frame_options');
        $frame_options = strtoupper($frame_options);

        // if not specified or invalid value, default to SAMEORIGIN
        if ( ! in_array($frame_options, array('DENY', 'SAMEORIGIN', 'NONE')))
        {
                $frame_options = 'SAMEORIGIN';
        }

        if ($frame_options != 'NONE')
        {
                ee()->output->set_header('X-Frame-Options: '.$frame_options);
        }
}

Unfortunately, It is set by EE core, You cannot override it be htaccess. That means you have config set for 3 variables only. $config['x_frame_options'] = "DENY"; $config['x_frame_options'] = "SAMEORIGIN"; // default $config['x_frame_options'] = "NONE"; // Your choice to get things working

I belive that set x_frame_options as none will make security glitch and not recommend it but its the only possible way with core. To get a proper solution, I will suggest to create a small plugin. If you don't know how to create a plugin, Just follow the steps:

  1. Go to /system/user/addons/ and create a folder named set_header

  2. Go to set_header folder and create 2 files. addon.setup.php and pi.set_header.php

  3. Copy this code to addon.setup.php

<?php
return array(
    'author' => 'Amici Infotech',
    'author_url' => 'https://amiciinfotech.com',
    'description' => 'Set page Headers',
    'docs_url' => '#',
    'name' => 'Set page Headers',
    'settings_exist' => false,
    'version' => '1.0.0',
    'namespace'   => 'AmiciInfotechAddonsSet_header',
);
  1. Copy this code to pi.set_header.php
<?php
$plugin_info = array(
        'pi_name'           => 'Set page Headers',
        'pi_version'        => '1.0.0',
        'pi_author'         => 'Amici Infotech',
        'pi_description'    => 'Set page Headers',
        'pi_usage'          => set_header::usage()
    );

class Set_header
{

    function __construct()
    {
        /* Load EE Instance */
    }

    function xframe_options()
    {
        $domain = ee()->TMPL->fetch_param('domain');
        ee()->output->set_header("X-Frame-Options: allow-from " . $domain);
    }

    public static function usage()
    {
        ob_start();
        ?>Set PHP Headers<?php
        $buffer = ob_get_contents();
        ob_end_clean(); 

        return $buffer;
    }

}

  1. Install Plugin Set Header from backend.

  2. Write this code in any template file to allow xframe to that page.

{exp:set_header:xframe_options domain="mysite.com/xyz"}

Answered by Mufi - Amici Infotech on October 3, 2021

I think that's best done in your .htaccess file

Answered by Jelle Dijkstra on October 3, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Questions

Recent Answers

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP