cancel
Showing results for 
Search instead for 
Did you mean: 

Magento 2 - Can't display frontend in iframe

SOLVED

Magento 2 - Can't display frontend in iframe

Hi everyone,

 

I am facing a problem with the x-frame-options header.

My website has a custom module of punchout. The problem is several customers, who use this functionnality, are displaying the website through iframe ( for example, the Ariba marketplace ). 

 

With magento 1, the problem was simply solved with a native option in the backoffice.

But with Magento 2, the option doesn't exist anymore and I didn't succeed to delete the x-frame-options header.

In the env.php file, the header is set  like this : 'x-frame-options' => 'SAMEORIGIN'.

I can't use 'sameorigin' because my customers are not on the same domain. I tried to delete the line in the file but something still adds the header.

 

I found in a topic of another website to use the value " * " instead of "sameorigin" but the solution is causing file downloading issue. 

 

How can I completely delete this header ?

 

Thank you for your future answers.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Magento 2 - Can't display frontend in iframe

Hello !

 

I found a solution :

 

1 - Remove the x-frame-options from the env.php

2 - Override the \Magento\Framework\App\Response\HeaderProvider\XFrameOptions.php file ( don't forget the di.xml ) and comment the content of the __construct

class XFrameOptions extends \Magento\Framework\App\Response\HeaderProvider\XFrameOptions
{
    /** Deployment config key for frontend x-frame-options header value */
    const DEPLOYMENT_CONFIG_X_FRAME_OPT = 'x-frame-options';

    /** Always send SAMEORIGIN in backend x-frame-options header */
    const BACKEND_X_FRAME_OPT = 'SAMEORIGIN';

    /**
     * x-frame-options Header name
     *
     * @var string
     */
    protected $headerName = Http::HEADER_X_FRAME_OPT;

    /**
     * x-frame-options header value
     *
     * @var string
     */
    protected $headerValue;

    /**
     * @param string $xFrameOpt
     */
    public function __construct($xFrameOpt = 'SAMEORIGIN')
    {
        //$this->headerValue = $xFrameOpt;
    }
}

I don't know if it's the best way to do it but it works ^^ 

View solution in original post

5 REPLIES 5

Re: Magento 2 - Can't display frontend in iframe

Hello !

 

I found a solution :

 

1 - Remove the x-frame-options from the env.php

2 - Override the \Magento\Framework\App\Response\HeaderProvider\XFrameOptions.php file ( don't forget the di.xml ) and comment the content of the __construct

class XFrameOptions extends \Magento\Framework\App\Response\HeaderProvider\XFrameOptions
{
    /** Deployment config key for frontend x-frame-options header value */
    const DEPLOYMENT_CONFIG_X_FRAME_OPT = 'x-frame-options';

    /** Always send SAMEORIGIN in backend x-frame-options header */
    const BACKEND_X_FRAME_OPT = 'SAMEORIGIN';

    /**
     * x-frame-options Header name
     *
     * @var string
     */
    protected $headerName = Http::HEADER_X_FRAME_OPT;

    /**
     * x-frame-options header value
     *
     * @var string
     */
    protected $headerValue;

    /**
     * @param string $xFrameOpt
     */
    public function __construct($xFrameOpt = 'SAMEORIGIN')
    {
        //$this->headerValue = $xFrameOpt;
    }
}

I don't know if it's the best way to do it but it works ^^ 

Re: Magento 2 - Can't display frontend in iframe

You cannot display a lot of websites inside an iFrame. Reason being that they send an "X-Frame-Options: SAMEORIGIN" response header. This option prevents the browser from displaying iFrames that are not hosted on the same domain as the parent page.

I faced the same error when displaying youtube links. For example:

 

https://www.youtube.com/watch?v=8WkuChVeL0s

 

I replaced watch?v= with embed/ so the valid link will be:

 

https://www.youtube.com/embed/8WkuChVeL0s

 

It works well.

 

Try to apply the same rule on your case.

 

SAMEORIGIN

 

The page can only be displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain, although it is argued that the option is not very useful unless all ancestors are also in the same origin.

 

Re: Magento 2 - Can't display frontend in iframe

Try using this punchout plugin from the marketplace which is also available here.

It supports oci and cxml punchout and works with unlimited connections.

Re: Magento 2 - Can't display frontend in iframe

What do you mean by "Don't forge di.xml" what to do in that.

Re: Magento 2 - Can't display frontend in iframe

That can be done with some htaccess settings along with a cookie management plugin. This plugin is generally available with extensions like Punchout Gateway for Magento or can be asked to build separately.