Framework: How to remove Restriction of 'X-Frame-Options'

The error you currently getting after I clicked on the link you posted has to do with none object on your body-content.blade.php file.

Has to do with I frame, there are many ways to do this. You can also make an ajax request to that third party website and fetch the content with file_get_content(), later you can simply send the fetched data to your view.

Hope that helps

@edenreich yes that was local app bug, i have fixed that and the url is now working,
http://browns.softpyramid.ca/widgets/fee-calculator
and now can be tested using:
<iframe src="http://browns.softpyramid.ca/widgets/fee-calculator"></iframe>

The url is a component written in vue js and it has lot of things in it to do.
It would be great if community can help me to remove the restriction of iframe.
thanks

I have found a solution for this here:
http://stackoverflow.com/questions/20293116/override-http-headers-default-settings-x-frame-options

according to laravel 4.2 you can try App::forgetMiddleware('Illuminate\Http\FrameGuard');
if that doesnt work, you will need to override that handle method. lastly if both doesnt work just comment line 20 in Illuminate\Http\FrameGuard.

hope that helps

btw, shouldnt that middleware appear in App\Http in the Kernel.php file ? so people can decide if they need this middleware, or I probably missed the name of it in Kernel.php

@edenreich in 5.3 forgetMiddleware is not available, i tried to override that method and now it says:

Multiple 'X-Frame-Options' headers with conflicting values ('ALLOW-FROM http://widgets.dev/, SAMEORIGIN') encountered when loading 'http://browns.softpyramid.ca/widgets/fee-calculator'. Falling back to 'DENY'.

So it did not removed old header but added new one to it.

@edenreich i think in laravel 5.3 FrameGuard is not used by default, but i used it and made it to:

$response->headers->remove('X-Frame-Options');
$response->headers->set('X-Frame-Options', 'ALLOW-FROM', 'http://widgets.dev/');

also tried:
header_remove('X-Frame-Options');
header('X-Frame-Options: ALLOW-FROM http://widgets.dev/');

but no luck same error:
Multiple 'X-Frame-Options' headers with conflicting values ('ALLOW-FROM http://widgets.dev/, SAMEORIGIN') encountered when loading 'http://browns.softpyramid.ca/widgets/fee-calculator'. Falling back to 'DENY'.

I think its something to do with your .htaccess file..did you look there?

try following this steps:

http://stackoverflow.com/questions/5881139/how-to-block-iframe-call
(instead of deny write ALLOW)

No luck

best way to go about it is to try and set your headers X-Frame-Options: ALLOW-FROM [the-url-from-where-you-want-to-fetch-the-data] using laravel implemention. you can always modify / override the headers to your needs.

check the documentation: https://laravel.com/docs/5.4/responses

Just follow the documentation and try to return the response with this header in your controller. I havent tested it myself, but it should be overriding, im pretty sure.

so basicly it should look like this:

return response()
->view('hello', $data, 200) // modify it to your view
->header('X-Frame-Options', 'http://widgets.dev/');

Feel free to continue discussing here, or on the forums. Closing though, because this is not a bug report with the framework, as such. :)

@GrahamCampbell you are right, nothing to do with framework, we removed the headers from nginx, and it worked. thanks @edenreich for the efforts.

Im getting the same issue with laravel using apache, any fix for apache?

Hi,
A simple solution is to add "Ignore X-Frame headers" extension to your chrome.

My issue was after I started using Forge. It seems that in nginx configuration 'SAMEORIGIN' policy was set by default. Just comment out that and add your own X-FRAME rule in application.

I found a useful answer which uses an external library, fairly quick to implement too. Hope it helps others with the same issue.

I found a useful answer which uses an external library, fairly quick to implement too. Hope it helps others with the same issue.

I would fucking fire you right away