Reputation: 5957
Override HTTP header's default settings (X-FRAME-OPTIONS)
I'm working with the dev version of Laravel (4.1.*) and there is a new default configuration that I don't want : X-Frame-Options: SAMEORIGIN
For the moment I disable it by deleting one line in Illuminate\Http\FrameGuard.php
I'm looking for a better solution. I've try in the filtre.php file :
App::after(function($request, $response) {
$response->header('X-Frame-Options', 'ALLOW-ALL');
});
But it just adds the option (X-Frame-Options:ALLOW-ALL, SAMEORIGIN), whereas I need an override.
Upvotes: 15
Views: 55761
Answers (2)
Reputation: 5957
Laravel doesn't provide any configuration to disable this functionality.
According to Taylor Otwell, the only way to bypass it is by adding the following line into the start file:
App::forgetMiddleware('Illuminate\Http\FrameGuard');
The dirty solution is to comment the guilty line:
$response->headers->set('X-Frame-Options', 'SAMEORIGIN', false);
Edit (Jan 29th 2014): new info from Taylor Otwell on GitHub about next Laravel's policy.
Removing this by default in 4.2. Should be in an after filter - will leave FrameGuard class so people can add the middleware manually if they want.
Upvotes: 24
Related Questions
- How to set X-Frame-Options in laravel project?
- Where can I set headers in laravel
- how do I set headers programmatically on Laravel Http Client?
- Laravel Not Adding Custom Headers
- Modify headers x-frame-options in .htaccess
- .htaccess X-Frame-Options header not set for some Laravel routes
- X-FRAME-OPTIONS is shown twice and X-XSS-PROTECTION is shown wrong
- Add multiple domains in x-frame-options on header with Laravel
- Laravel 4 refuses to load iframe due to 'X-Frame-Options' to 'SAMEORIGIN'
- Setting headers in Laravel