Always getting Load denied by X-Frame-Options, already set in express.js using Helmet

Question

I am getting same error again and again. I have used Helmet for X-Frame-Options and for other headers use access-allow. In Firefox Console shows "Load denied by X-Frame-Options: does not permit framing." In Chrome console shows "Refused to display in a frame because it set 'X-Frame-Options' to 'sameorigin'."

What things can I try to resolve this?

var app = express();
var helmet = require('helmet');
app.use(helmet({
  frameguard: {
    action: 'allow-from',
    domain: 'https://calendar.google.com/calendar/'
  }
}))

var enableCORS = function(req, res, next) {
  res.header('Access-Control-Allow-Origin', '*');
  res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
  res.header('Access-Control-Allow-Headers', 'Content-Type, token, Content-Length, X-Requested-With, *');
  if ('OPTIONS' === req.method) {
    res.sendStatus(200);
  } else {
    next();
  }
};
app.all("/*", function(req, res, next) {
  res.header('Access-Control-Allow-Origin', '*');
  res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
  res.header('Access-Control-Allow-Headers', 'Content-Type, token, Content-Length, X-Requested-With, *');
  // res.set('X-Frame-Options', 'ALLOW-FROM htps://google.com/');
  next();
});
app.use(enableCORS);

Answer 1

Your configuration does the opposite :

  frameguard: {
               action: 'allow-from',
               domain: 'https://calendar.google.com/calendar/'
              }

will allow https://calendar.google.com/calendar/ to put your page in an iframe. Some websites will not allow other websites to frame their content, and that's why you got the error, because if https://calendar.google.com/calendar/ sets X-Frame-Options to DENY , SAMEORIGIN or ALLOW-FROM http://example.com where http://example.com is some other domain different from yours, you can't frame any of https://calendar.google.com/calendar/ content.

Take a look here and here for more informations.