Reputation: 1231
How to iframe a page from same domain with X-Frame-Options SAMEORIGIN?
We have this page, www.ourdomain.com/home.html
Inside home.html, there is an iframe with src set to yyy.ourdomain.com/index.html. All pages on yyy.ourdomain.com have X-Frame-Options set to SAMEORIGIN. And because of this header, the iframe content doesn't load. I get this error.
Firefox - Load denied by X-Frame-Options: http://yyy.ourdomain.com/index.html does not permit cross-origin framing.
Chrome - Refused to display 'http://yyy.ourdomain.com/index.html' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
Both home.html and index.html have this line of javascript code -
document.domain = 'ourdomain.com';
How can I make this work?
PS - I don't have the option of removing the X-Frame-Options header.
Thanks.
Upvotes: 1
Views: 5973
Answers (1)
Reputation: 2431
The headers X-Frame-Options: DENY or X-Frame-Options: SAMEORIGIN won't allow you in any way to render a page in a <frame>, <iframe> or <object>.
The only working way I found, is to create a proxy page in the main domain that load the html content of the requested subdomain page.
See
- https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
- https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
for more information
Upvotes: 2
Related Questions
- How to set X-Frame Options to ALLOW-FROM https://example.com and SAMEORIGIN on server
- 'X-Frame-Options','SAMEORIGIN' Cross Domain Iframe issue
- Iframe error : because it set 'X-Frame-Options' to 'sameorigin'
- how to display another site in an iframe in spite of X-Frame-Options
- Getting the error Refused to display 'http://www.asp.net/' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN' with iframe-resizer
- js cross-domain to iframe
- Refused to display in a frame , because it set 'X-Frame-Options' to 'SAMEORIGIN'
- iframe cross-domain access
- Running javascript on an iframe with another domain
- iframes from same domain and cross browser scripting