Bug #8156
closedX-Frame-Option=SAMEORIGIN doesn't let my application be visualized inside iframe
0%
Description
I call local server application inside iFrame. I see an empty iframe box in browser end error: "Refused to display 'http://localhost:8080/hello' in a frame because it set 'X-Frame-Options' to 'sameorigin'."
To make it work I had to remove line "response.addHeader("X-Frame-Options", "SAMEORIGIN");" from "void WebRenderer::serveBootstrap(WebResponse& response)" method.
It it a bug or there is some workaround besides code changing?
Files
Updated by Korneel Dumon almost 4 years ago
This is a security feature, you can use widgetset to embed an application in other pages (like in your other question).
Updated by Marco Kinski about 3 years ago
I would appreciate a setting for the WApplication instance which let's the developer of the app decide if it needs prevention from clickjacking or not.
I then would build two flavors of the app. One without access to security related functionality but allowed to get embeded and a unrestricted not embedable.
Updated by Matthias Van Ceulebroeck about 2 months ago
- Related to Improvements #13187: Allow custom headers to be configured in the config file added
Updated by Matthias Van Ceulebroeck about 2 months ago
- Status changed from New to Rejected
This is being closed, since it it tracked by a previous entry: #6584