I am trying to get a remote web page into an iframe in my project. When i try to open my project web site the browser console displays below error and not showing page in iframe.
Nginx Refused to display 'http://www.xxxxx.com/' in a frame because it set multiple 'X-Frame-Options' headers with conflicting values ('DENY, ALLOW-FROM http://www........com'). Falling back to 'deny'.
I also added below line in nginx xconf:
add_header X-Frame-Options "ALLOW-FROM http://www.......com";
There is no X-Frame-Options = Deny configuration in any place in my Nginx configurations.
But still, when I run the page it shows multiple headers. It is like Deny is hardcoded default. But I just added 1 header (ALLOW-FROM).
Where does the other header (DENY) come from, I don't understand. How can I bypass this deny header which is coming with the response page when I insert it into the iframe?
I also used Chrome Extension Requestly that can be used to add/remove/modify response headers. It works when I use the Requestly extension on my machine.
But I can't use a chrome extension-based solution as the site is public and everyone does not use Requestly. So I am looking for an Nginx-config based solution or any server-side solution to remove this header.
I solved this problem in Django settings, commenting some middleware lines and adding some variables. 178.62.107.96 is the server in which we create iframe and insert django server created web page :
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
#'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
#'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
X_FRAME_OPTIONS = 'ALLOW-FROM 178.62.*.*'
CSRF_TRUSTED_ORIGINS = ['178.62.*.*']
CSRF_COOKIE_SAMESITE = None
Related
I need to have https://web.whatsapp.com embedded in my website via iframe. I get the error of X-Frame-Options. I use express server and I tried to configure it with helmet:
app.use(
helmet.frameguard({
action: "sameorigin",
})
)
Doesn't seem to work. Same with deny. I read that ALLOW-FROM is not supported in Chrome browser anymore. Is there any chance to bypass or allow X-Frame-Options to accept certain origins? (Maybe there is any other options how to embed https://web.whatsapp.com to my website?).
X-Frame-Options prevents a site from being framed. As web.whatsapp.com prevents framing, there is nothing you can do to allow it being framed, unless you proxy the connection and remove headers. Adding headers to the site framing the other won't change anything.
know this has been asked a fair bit but can't find a solution which works for me.
Trying to put an i-frame of our website on a different domain and am getting this error in the browser:
Refused to display 'my-site' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
I have a Passenger server with a Nginx configuration. My site is https and the certificate is from Let's Encrypt Authority X3. It's a ruby on rails app.
I would like to override this setting. I have grep'ed all the files looking for where X-Frame Options has been set but can't find it anywhere - where is it coming from and how can I remove it?
Things i've tried:
I have tried setting add_header X-Frame-Options ALLOWALL always in etc/nginx/sites-enabled - i get the following error in the browser: Refused to display 'my-site' in a frame because it set multiple 'X-Frame-Options' headers with conflicting values ('SAMEORIGIN, ALLOWALL'). Falling back to 'deny'.
I've also tried add_header X-Frame-Options "" always;
I've looked for an SSL config file inside the snippets folder but there doesn't seem to be one.
Trying to publish HTTPS content (login form) using iframe onto HTTP page.
Have permission, but do not have access to source code of HTTPS page.
Standard attempts to publish iframe do not work with this HTTPS page content.
Appears that HTTPS page x-frame-option set to DENY.
Is there any way to embed/frame/etc. this HTTPS content onto HTTP page despite x-frame objections?
This is a WordPress site. Not sure if that is relevant here.
No there is not, and this actually have nothing to do with HTTP or HTTPS, it's how the X-frame-Options header works.
When a resource returns the header of X-Frame-Options: DENY, it is not possible to show it in any iframe or iframe-like window, not even one on the same site.
You said you have permission though, so perhaps you can get the service you are using to use the ALLOW-FROM option for your service. Something like this could be configured to allow your site to frame it.
X-Frame-Options: ALLOW-FROM https://example.com/
Background
So I've got a server running a tomcat application hidden behind an Apache proxy. The proxy provides a more user friendly url as well as SSL encryption with automatic redirects so that the app is only accessible on https.
I'm busy migrating this to an nginx proxy.
One of the issues I've had is that upon login, my app sends back a "LocationAfterLogon" header in the http response in the form of
http://192.168.x.x:8080/myapp/index.jsp.
That IP address returned is from the proxied server not visible on the internet. So then the browser gets a connection error trying to navigate to it.
As a workaround, I've used nginx directives:
proxy_hide_header: to hide the LocationAfterLogin header coming back from the proxied server
add_header: to add a new LocationAfterLogin url.
So my config looks as follows
#header for location after logon of demo app
add_header LocationAfterLogon http://example.com/demo/index.jsp;
#hide the real LocationAfterLogon
proxy_hide_header LocationAfterLogon;
The Problem
I need to be able to do a regex replace or similar on LocationAfterLogon because it won't always be to index.jsp, depending on which url was intercepted by the login page.
I am aware that I can also rewrite the tomcat app to send back a relative URL instead, but I'd like to do it all in nginx config.
I've also read about nginx more_set_headers. Haven't tried it yet. Does it allow me to edit the headers?
Apache has the Header edit directive which I was using previously, so I'm looking for something like that.
TL;DR
Is is possible to edit a header location using regex replace or similar in Nginx?
You can use the map directive to rewrite your header:
map $upstream_http_locationafterlogon $new_location {
~regexp new_value;
}
proxy_hide_header LocationAfterLogon;
add_header LocationAfterLogon $new_location;
See the documentation: http://nginx.org/en/docs/http/ngx_http_map_module.html
I'm working with apache on my local instance and nginx on production.
I have a javascript application that is setting headers in API calls to authenticate the user. It's working fine on local with my apache server. However for some reason, my custom headers are ignored by Nginx.
I tried to add this line in my site configuration:
add_header 'Access-Control-Allow-Origin' '*';
But it still ignore the headers.
Does anyone know where I should look to bypass this ?
Cheers,
Maxime
I found what was the issue.
My custom headers were API_USER and API_TOKEN.
There is a directive in Nginx that says to ignore headers with a '_' in the name, more info here
So I've updated my custom headers to x-api-user and x-api-token and now it's working like a charm !