Need to turn off x-frame-options.

1,203 views
Skip to first unread message

Kareem

unread,
Mar 23, 2017, 1:32:18 PM3/23/17
to ResourceSpace
Hello!

I'm running resourcespace under a masked goddaddy subdomain (which places the website within an iframe). As a result, ResourceSpace is blocking it under it's X-Frame-Options XSS setting. 

How do I turn this off?


Errata:
You're probably wondering why it's in an iFrame. GoDaddy manages masked subdomains by placing the masked site within an iframe. unfortunately, I can't move the parent domain off GoDaddy because the same domain is using GoDaddy for mail and office services. 

Hans-Eric Jaeger

unread,
Mar 24, 2017, 2:38:40 PM3/24/17
to ResourceSpace
Kareem,
         I'm not sure if this is exactly your issue, but do you have access to the apache config files? If so you can set the apache directive "Header always append X-Frame-Options: ALLOW-FROM *" . The star is simply a wildcard character that can (and probably should) be replaced with a domain name as well. Please keep in mind that if you allow x-frame from all then you are softening the security of your website. Mostly by allowing the possibility of your site to be "Clickjacked". Meaning that someone else can take your site and place it inside of an iframe on their domain and place fake linkes on top of the iframe.  

Here is a bit more information on preventing clickjacking - https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
Another link to more information about "X-Frame-Options" - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Reply all
Reply to author
Forward
0 new messages