Magento Forums
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Magento 2 - Can't display frontend in iframe

SOLVED
Go to solution
‎02-28-2020 06:15 AM
‎02-28-2020 06:15 AM

Magento 2 - Can't display frontend in iframe

Hi everyone,

 

I am facing a problem with the x-frame-options header.

My website has a custom module of punchout. The problem is several customers, who use this functionnality, are displaying the website through iframe ( for example, the Ariba marketplace ). 

 

With magento 1, the problem was simply solved with a native option in the backoffice.

But with Magento 2, the option doesn't exist anymore and I didn't succeed to delete the x-frame-options header.

In the env.php file, the header is set  like this : 'x-frame-options' => 'SAMEORIGIN'.

I can't use 'sameorigin' because my customers are not on the same domain. I tried to delete the line in the file but something still adds the header.

 

I found in a topic of another website to use the value " * " instead of "sameorigin" but the solution is causing file downloading issue. 

 

How can I completely delete this header ?

 

Thank you for your future answers.

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
‎03-02-2020 05:16 AM
‎03-02-2020 05:16 AM

Re: Magento 2 - Can't display frontend in iframe

Hello !

 

I found a solution :

 

1 - Remove the x-frame-options from the env.php

2 - Override the \Magento\Framework\App\Response\HeaderProvider\XFrameOptions.php file ( don't forget the di.xml ) and comment the content of the __construct

class XFrameOptions extends \Magento\Framework\App\Response\HeaderProvider\XFrameOptions
{
    /** Deployment config key for frontend x-frame-options header value */
    const DEPLOYMENT_CONFIG_X_FRAME_OPT = 'x-frame-options';

    /** Always send SAMEORIGIN in backend x-frame-options header */
    const BACKEND_X_FRAME_OPT = 'SAMEORIGIN';

    /**
     * x-frame-options Header name
     *
     * @var string
     */
    protected $headerName = Http::HEADER_X_FRAME_OPT;

    /**
     * x-frame-options header value
     *
     * @var string
     */
    protected $headerValue;

    /**
     * @param string $xFrameOpt
     */
    public function __construct($xFrameOpt = 'SAMEORIGIN')
    {
        //$this->headerValue = $xFrameOpt;
    }
}

I don't know if it's the best way to do it but it works ^^ 

View solution in original post

0 Kudos
3 REPLIES 3
‎03-02-2020 05:16 AM
‎03-02-2020 05:16 AM

Re: Magento 2 - Can't display frontend in iframe

Hello !

 

I found a solution :

 

1 - Remove the x-frame-options from the env.php

2 - Override the \Magento\Framework\App\Response\HeaderProvider\XFrameOptions.php file ( don't forget the di.xml ) and comment the content of the __construct

class XFrameOptions extends \Magento\Framework\App\Response\HeaderProvider\XFrameOptions
{
    /** Deployment config key for frontend x-frame-options header value */
    const DEPLOYMENT_CONFIG_X_FRAME_OPT = 'x-frame-options';

    /** Always send SAMEORIGIN in backend x-frame-options header */
    const BACKEND_X_FRAME_OPT = 'SAMEORIGIN';

    /**
     * x-frame-options Header name
     *
     * @var string
     */
    protected $headerName = Http::HEADER_X_FRAME_OPT;

    /**
     * x-frame-options header value
     *
     * @var string
     */
    protected $headerValue;

    /**
     * @param string $xFrameOpt
     */
    public function __construct($xFrameOpt = 'SAMEORIGIN')
    {
        //$this->headerValue = $xFrameOpt;
    }
}

I don't know if it's the best way to do it but it works ^^ 

0 Kudos
‎03-01-2021 10:55 PM
‎03-01-2021 10:55 PM

Re: Magento 2 - Can't display frontend in iframe

You cannot display a lot of websites inside an iFrame. Reason being that they send an "X-Frame-Options: SAMEORIGIN" response header. This option prevents the browser from displaying iFrames that are not hosted on the same domain as the parent page.

I faced the same error when displaying youtube links. For example:

 

https://www.youtube.com/watch?v=8WkuChVeL0s

 

I replaced watch?v= with embed/ so the valid link will be:

 

https://www.youtube.com/embed/8WkuChVeL0s

 

It works well.

 

Try to apply the same rule on your case.

 

SAMEORIGIN

 

The page can only be displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain, although it is argued that the option is not very useful unless all ancestors are also in the same origin.

 

0 Kudos
‎01-30-2024 10:41 AM
‎01-30-2024 10:41 AM

Re: Magento 2 - Can't display frontend in iframe

Try using this punchout plugin from the marketplace which is also available here.

It supports oci and cxml punchout and works with unlimited connections.

0 Kudos