Can't remove SAMEORIGIN from XFRAME

2,015 views
Skip to first unread message

David Rhoderick

unread,
Oct 10, 2015, 2:01:34 PM10/10/15
to Fat-Free Framework
I am trying to embed my Fat-Free Framework project into a Wix site using an iframe.  It should work pretty simply, although I did realize the SAMEORIGIN X-FRAME-OPTIONS was blocking the embed.  I am using a BlueHost server for my Fat-Free Framework project, in case there is something there I should be fiddling with.  I have tried the following to remove SAMEORIGIN from X-FRAME-OPTIONS:
  • header_remove() php command
  • header('X-Frame-Options: GOFORIT') php command (GOFORIT is for anything but SAMEORIGIN and DENY)
  • adding &output=embed to the link (this didn't work with F3)
  • adding the following htaccess code:

    • Header always append X-Frame-Options SAMEORIGIN Header set Access-Control-Allow-Origin: "http://editor.wix.com" Header set Access-Control-Allow-Origin: "http://www.wix.com"

  • And lastly $f3->set('XFRAME',NULL). I have tried different values such as an empty string or GOFORIT.
Any idea why I would always get SAMEORIGIN on my BlueHost server? Thanks for any tips!

~Dave

Anatol Buchholz

unread,
Oct 12, 2015, 6:36:14 AM10/12/15
to Fat-Free Framework
This  was working some time ago in index.php, haven´t tested it with latest version:

$f3->set('XFRAME', "");

cheers,

– anatol

David Rhoderick

unread,
Oct 15, 2015, 2:31:55 PM10/15/15
to Fat-Free Framework
Thanks for the response.  To update, that solution didn't work.  I have tried almost everything on my end and submitted a ticket to BlueHost.  Does anyone have any experience with their servers in this regard?

David Rhoderick

unread,
Oct 15, 2015, 2:59:15 PM10/15/15
to Fat-Free Framework
I didn't look into my .htaccess file. There was the line Header append X-FRAME-OPTIONS "SAMEORIGIN" in there along with some allows for Wix. Simply removing the append line allowed it to be embed.

Anatol Buchholz

unread,
Oct 17, 2015, 5:08:21 AM10/17/15
to Fat-Free Framework
Hi David,

this means the reason was a htaccess which was generated by the host or another app? It´s not in f3´s htaccess: https://github.com/bcosca/fatfree/blob/master/.htaccess
If htaccess was the reason which of your solution works?

$f3->set('XFRAME',NULL).
?

cheers,

– anatol

David Rhoderick

unread,
Oct 18, 2015, 11:10:51 PM10/18/15
to Fat-Free Framework
I believe it got in there in my quest to remove SAME ORIGIN.  It was attached to something that should have helped but obviously it was the problem.

Ángel F

unread,
Jun 2, 2016, 7:07:08 AM6/2/16
to David Rhoderick via Fat-Free Framework, Fat-Free Framework
I am facing the same issue, but my server is not adding anthing. 

I only want to allow the xframe on one page on my website.
Shall I use 
$f3->set('XFRAME', "");

?
Thanks 


--
You received this message because you are subscribed to the Google Groups "Fat-Free Framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to f3-framework...@googlegroups.com.
To post to this group, send email to f3-fra...@googlegroups.com.
Visit this group at http://groups.google.com/group/f3-framework.
For more options, visit https://groups.google.com/d/optout.

Ángel F

unread,
Jun 2, 2016, 7:36:08 AM6/2/16
to David Rhoderick via Fat-Free Framework, Fat-Free Framework
Hi,

I ended using the header remove but the
header('X-Frame-Options: GOFORIT')
worked too.
Reply all
Reply to author
Forward
0 new messages