Hi everyone,
I am facing a problem with the x-frame-options header.
My website has a custom module of punchout. The problem is several customers, who use this functionnality, are displaying the website through iframe ( for example, the Ariba marketplace ).
With magento 1, the problem was simply solved with a native option in the backoffice.
But with Magento 2, the option doesn't exist anymore and I didn't succeed to delete the x-frame-options header.
In the env.php file, the header is set like this : 'x-frame-options' => 'SAMEORIGIN'.
I can't use 'sameorigin' because my customers are not on the same domain. I tried to delete the line in the file but something still adds the header.
I found in a topic of another website to use the value " * " instead of "sameorigin" but the solution is causing file downloading issue.
How can I completely delete this header ?
Thank you for your future answers.
Solved! Go to Solution.
Hello !
I found a solution :
1 - Remove the x-frame-options from the env.php
2 - Override the \Magento\Framework\App\Response\HeaderProvider\XFrameOptions.php file ( don't forget the di.xml ) and comment the content of the __construct
class XFrameOptions extends \Magento\Framework\App\Response\HeaderProvider\XFrameOptions { /** Deployment config key for frontend x-frame-options header value */ const DEPLOYMENT_CONFIG_X_FRAME_OPT = 'x-frame-options'; /** Always send SAMEORIGIN in backend x-frame-options header */ const BACKEND_X_FRAME_OPT = 'SAMEORIGIN'; /** * x-frame-options Header name * * @var string */ protected $headerName = Http::HEADER_X_FRAME_OPT; /** * x-frame-options header value * * @var string */ protected $headerValue; /** * @param string $xFrameOpt */ public function __construct($xFrameOpt = 'SAMEORIGIN') { //$this->headerValue = $xFrameOpt; } }
I don't know if it's the best way to do it but it works ^^
Hello !
I found a solution :
1 - Remove the x-frame-options from the env.php
2 - Override the \Magento\Framework\App\Response\HeaderProvider\XFrameOptions.php file ( don't forget the di.xml ) and comment the content of the __construct
class XFrameOptions extends \Magento\Framework\App\Response\HeaderProvider\XFrameOptions { /** Deployment config key for frontend x-frame-options header value */ const DEPLOYMENT_CONFIG_X_FRAME_OPT = 'x-frame-options'; /** Always send SAMEORIGIN in backend x-frame-options header */ const BACKEND_X_FRAME_OPT = 'SAMEORIGIN'; /** * x-frame-options Header name * * @var string */ protected $headerName = Http::HEADER_X_FRAME_OPT; /** * x-frame-options header value * * @var string */ protected $headerValue; /** * @param string $xFrameOpt */ public function __construct($xFrameOpt = 'SAMEORIGIN') { //$this->headerValue = $xFrameOpt; } }
I don't know if it's the best way to do it but it works ^^
You cannot display a lot of websites inside an iFrame. Reason being that they send an "X-Frame-Options: SAMEORIGIN" response header. This option prevents the browser from displaying iFrames that are not hosted on the same domain as the parent page.
I faced the same error when displaying youtube links. For example:
https://www.youtube.com/watch?v=8WkuChVeL0s
I replaced watch?v= with embed/ so the valid link will be:
https://www.youtube.com/embed/8WkuChVeL0s
It works well.
Try to apply the same rule on your case.
SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain, although it is argued that the option is not very useful unless all ancestors are also in the same origin.
Try using this punchout plugin from the marketplace which is also available here.
It supports oci and cxml punchout and works with unlimited connections.
What do you mean by "Don't forge di.xml" what to do in that.
That can be done with some htaccess settings along with a cookie management plugin. This plugin is generally available with extensions like Punchout Gateway for Magento or can be asked to build separately.