Question posted in
Some documentation to get you started can be found here.

X-Frame-Options not blocking iframe – Apache

I have set the X-Frame-Options header in Apache to DENY. The response header is correctly sent to the browser (see image). I just created a simple HTML file that loads an iframe which is loaded without any issue. I also checked Chrome devtools and the response header returns "x-frame-options: DENY". I was assuming that the header would block all iframes from being loaded?

X-Frame-Options Response

Full Response Header

Tags:

2

Answers


  1. 0

    Please do not send Access-Control-Allow-Origin to response if you are sending it. That could solve your problem

    Login or Signup to reply.
  2. 0

    Not really. X-Frame-Options: DENY prevent YOUR page from being loaded inside an iframe.

    X-Frame-Options: SAMEORIGIN – will block only loading from other domains.

    It does nothing with iframes on the current page.

    The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a , ,

    Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search