Change the HEADER X-Frame-Options to one of my environments

carlos.claro · December 9, 2020, 1:15am

I am trying to display the front-end of my site http://qa.uno.com.au/ inside of an IFrame in my CMS (Sanity) and I am getting “Refused to display ‘https://qa.uno.com.au//find-me-a-home-loan-super-rewards/’ in a frame because it set ‘X-Frame-Options’ to ‘deny’.”

is this something that I can manage via netlify.toml file?

site name: mystifying-stonebraker-9e3541

Thanks.

hrishikesh · December 9, 2020, 6:54pm

As per MDN: X-Frame-Options - HTTP | MDN, the allow value won’t work for modern browsers, except for same origin.

isaac-martin · December 16, 2020, 7:19pm

hey @carlos.claro did you figure this out? I am trying to do exactly the same thing.

isaac-martin · December 16, 2020, 10:15pm

@carlos.claro i got this working for my preview in sanity

Content-Security-Policy: frame-ancestors 'self' https://SANITYSITEID.sanity.studio,

carlos.claro · December 16, 2020, 10:42pm

Hi @isaac-martin had parked this for a bit but your solution looks promising, let me give a go!
Thanks.

carlos.claro · January 18, 2021, 12:44pm

Hey @isaac-martin was your change added to the .toml file? Thanks.

isaac-martin · January 19, 2021, 6:46pm

Mine was added to the headers field in gatsby-plugin-netlify however it outputs on build to my _headers file. Believe adding to toml does it the same.

logemann · February 5, 2021, 12:32pm

can you elaborate how you put it into gatsby via the plugin?

isaac-martin · February 5, 2021, 7:41pm

   {
  resolve: "gatsby-plugin-netlify",
  options: {
  headers: {
      "/*": [
        "X-XSS-Protection: 1; mode=block",
        "X-Content-Type-Options: nosniff",
        "Referrer-Policy: same-origin",
        `Content-Security-Policy: frame-ancestors 'self' https://brex.sanity.studio`,
      ],
    },
  },
},

isaac-martin · February 5, 2021, 7:43pm

Just put it above for you - let me know if that is enough.

kevinkatler · October 24, 2022, 2:05pm

You cannot display a lot of websites inside an iFrame. Reason being that they send an “X-Frame-Options: SAMEORIGIN” response header. This option prevents the browser from displaying iFrames that are not hosted on the same domain as the parent page.

I faced the same error when displaying YouTube links. For example: https://www.youtube.com/watch?v=8WkuChVeL0s

I replaced watch?v= with embed/ so the valid link will be: https://www.youtube.com/embed/8WkuChVeL0s

It works well.

Try to apply the same rule on your case.

SAMEORIGIN

The page can only be displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain, although it is argued that the option is not very useful unless all ancestors are also in the same origin.

Umang · August 1, 2024, 5:35pm

Facing same error Could you plz help me !

hrishikesh · August 3, 2024, 11:51am

Don’t dupliate yourself: Invalid 'X-Frame-Options' header encountered when loading 'https://store.duxiana.com/': 'allow-from https://store.duxiana.com/' is not a recognized directive. The header will be ignored.Understand this error chrome-error://chromewebdata/:1 Refused to disp

Topic		Replies	Views
Breaking change: X-Frame-Options set to DENY Support deployment , gatsby , headers	2	1637	June 29, 2024
Invalid 'X-Frame-Options' header encountered when loading 'https://store.duxiana.com/': 'allow-from https://store.duxiana.com/' is not a recognized directive. The header will be ignored.Understand this error chrome-error://chromewebdata/:1 Refused to disp Support deployment , gatsby	14	144	August 26, 2024
X-frame-options header not updated - Cached headers? Support deployment , headers	1	1404	January 1, 2021
Connection refused for index.htm from Gatsby static files Support deployment , netlify-newbie , gatsby	1	147	March 27, 2024
NextJS build ignoring headers set in netlify.toml Support deployment , security	28	4502	February 1, 2024

Change the HEADER X-Frame-Options to one of my environments

Related topics