Reputation: 11
'X-Frame-Options','SAMEORIGIN' Cross Domain Iframe issue
I have 2 projects in node JS. I have included the response to the header of my project is res. header('X-Frame-Options','SAMEORIGIN').
When I generate the source link and include it with the element , this link only working for my domain, I can't include the with other domains.
How can access the with a different domain
Thank you...!
Upvotes: 1
Views: 5206
Answers (2)
Reputation: 2111
The main purpose of adding the X-Frame-Options headers is to prevent your page from being rendered within an <iframe> (or within a <frame>, <embed>, <object>). Based on the value of the header, you can prevent it completely or just allow embedding within the same origin.
So if you need to allow rendering your page from any domain, you can just remove that header from the response.
Please refer this for more details https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Upvotes: 1
Reputation: 86
when it comes to security, I suggest using helmet.js. So better install helmet.js then use it as middleware for security issues. For example write code below:
const express = require("express");
const helmet = require("helmet");
app = express();
app.use(helmet({
contentSecurityPolicy: {
directives: {
"frame-ancestors": ["'self'", "https://otherDomain.com", "https://www.oneMoreDomain.com"]
}
}
}));
ContentSecurityPolicy's frame-ancestors is doing the same thing as FRAME-OPTIONS, but you can add whitelist of domains which will have permission using frames.
Upvotes: 4
Related Questions
- "in a frame because it set 'X-Frame-Options' to 'sameorigin'." In node APP
- Understanding Cross-Domain issue in Iframes
- Cross domain iframe issue
- Iframe cross domain issue
- How to iframe a page from same domain with X-Frame-Options SAMEORIGIN?
- Strange cross-domain issue with iframe
- js cross-domain to iframe
- 'X-Frame-Options' to 'SAMEORIGIN'. error
- Cross domain issue with iframes
- cross domain iFrames communication problem