ALLOW-FROM is not supported in Chrome or Safari. See MDN article: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options You are already doing the work to make a custom header and send it with the correct data, can you not just exclude the header when you detect it is from a valid partner and add DENY to every other request? I don’t … Read more
If you’re using Java configs instead of XML configs, put this in your WebSecurityConfigurerAdapter.configure(HttpSecurity http) method: http.headers().frameOptions().disable();
UPDATE: 2019-12-30 It seem that this tool is no longer working! [Request for update!] UPDATE 2019-01-06: You can bypass X-Frame-Options in an <iframe> using my X-Frame-Bypass Web Component. It extends the IFrame element by using multiple CORS proxies and it was tested in the latest Firefox and Chrome. You can use it as follows: (Optional) … Read more
Chrome offers the webRequest API to intercept and modify HTTP requests. You can remove the X-Frame-Options header to allow inlining pages within an iframe. chrome.webRequest.onHeadersReceived.addListener( function(info) { var headers = info.responseHeaders; for (var i=headers.length-1; i>=0; –i) { var header = headers[i].name.toLowerCase(); if (header == ‘x-frame-options’ || header == ‘frame-options’) { headers.splice(i, 1); // Remove header … Read more
You can’t set X-Frame-Options on the iframe. That is a response header set by the domain from which you are requesting the resource (google.com.ua in your example). They have set the header to SAMEORIGIN in this case, which means that they have disallowed loading of the resource in an iframe outside of their domain. For … Read more
I had a similar issue, where I was trying to display content from our own site in an iframe (as a lightbox-style dialog with Colorbox), and where we had an server-wide “X-Frame-Options SAMEORIGIN” header on the source server preventing it from loading on our test server. This doesn’t seem to be documented anywhere, but if … Read more