how to set the X-Frame-Options in a content hosted by github?

Question

I want a html file to be loaded as iframe by any url, it's hosted by Github ..

This solution doesn't work :

<?php
header('X-Frame-Options: GOFORIT'); 
?>

And I suppose that we can't apply this one (mod_headers), so is there a way to do that ?

Answer 1

As jeum explained, no dice with an iframe, it just won't work. If you could override the directive with a meta tag, it might work, but you can't:

Note that this token must be sent as a HTTP Header, and the directive will be ignored if found in a META HTTP-EQUIV tag.

So, it doesn't work with an iframe. But does it really have to be an iframe? Because loading a script will still work, so you could do something like this:

Script on your site (let's call it load_content.js):

var node = document.createElement('div')
node.innerHTML = '{place your code encoded as a JS string here}'
document.appendChild(node)

And then use it from other sites like this:

<script src="{URL to load_content.js}"></script>

Of course, this has some security implications for the sites on which you use it, but it might be sufficient for your needs.

---

OTOH, why don't you just host that content elsewhere? A small virtual server doesn't exactly cost a lot (unless you want tons of RAM and harddisk space) (I pay maybe 6€ per month or so), and even if you can't afford to pay any money, there are sites that let you host a few html pages for free, I think.

Answer 2

Support answer :

We block iframes to prevent clickjacking attacks against our users. We do this by sending the "X-Frame-Options: deny" header for every page. Clickjacking is a legitimate attack vector and at this time we do not have plans to remove the "X-Frame-Options: deny" header or allow exceptions for non-GitHub owned properties. It's unfortunate that such measures are necessary, but we have a responsibility to take all practical steps to protect our users.