This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

always append x-frame-options doesn't work

more options

my hoster has x-frame-options SAMEORIGIN in the apache2.conf file I added always append allow-from <site> in my .htacess file This works with internet explorer, but not with Firefox. The developer toolkit shows the options on the network tab correctly as: x-frame-options SAMEORIGIN, <site> The problem occurs e.g. on Joomla where the images on the media content are not shown. This seems a bug in Firefox. Right?

my hoster has x-frame-options SAMEORIGIN in the apache2.conf file I added always append allow-from <site> in my .htacess file This works with internet explorer, but not with Firefox. The developer toolkit shows the options on the network tab correctly as: x-frame-options SAMEORIGIN, <site> The problem occurs e.g. on Joomla where the images on the media content are not shown. This seems a bug in Firefox. Right?

Ilungisiwe ngu hankoster

All Replies (8)

more options

Is that valid, combining SAMEORIGIN plus ALLOW-FROM a site other than the same origin??

I don't see a mention of that in the MDN documentation on this header: https://developer.mozilla.org/docs/Web/HTTP/Headers/X-Frame-Options

Are there any error or warning messages in the Browser Console related to the framing?

https://developer.mozilla.org/docs/Tools/Browser_Console

more options

I don't think the Mozilla document should be leading here. The Apache documentation has to be leading? That documentation explains the 'always append' without restrictions. Firefox Developer Tools accepts it. So does Internet Explorer. I haven't been able to find something in the Apache documention about combining SAMEORIGIN and ALLOW-FROM. But that doesn't mean it's not there. BTW how else would you specify that all sites on your server can frame their own pages plus allow some sites to frame a specific foreign domain?

more options
more options

Yes I am using that statement in my htaccess file. But with only one url. As stated before the SAMEORIGIN option is specified in the httpd.conf file

more options

hankoster said

I don't think the Mozilla document should be leading here.

What do you think of the following statement, is it obsolete?

There are three different values for the header field. These values are mutually exclusive; that is, the header field MUST be set to exactly one of the three values.

https://tools.ietf.org/html/rfc7034#section-2.1 (RFC cited in the MDN article)

more options

A page from nuenen.amnesty.nl is loading another page from nuenen.amnesty.nl

Network tab shows the option: X-Frame-Options SAMEORIGIN, Allow-From https://beheer.amnesty.nl/

Browser console reports: Load denied by X-Frame-Options: https://beheer.amnesty.nl/ does not permit framing by https://nuenen.amnesty.nl/administrator/index.php?option=com_media.

The error message is not reporting what really happens. This page does not frame something from beheer.amnesty.nl. That happens on another page and that works!

more options

jscher2000 said

hankoster said
I don't think the Mozilla document should be leading here.

What do you think of the following statement, is it obsolete?

There are three different values for the header field. These values are mutually exclusive; that is, the header field MUST be set to exactly one of the three values.

https://tools.ietf.org/html/rfc7034#section-2.1 (RFC cited in the MDN article)

Good catch! So that means that Microsoft in all its wisdom is disobeying the RFC and is extending the rules by accepting this header in IE and Edge. And so is Apache that combines the two statements. Maybe I have to look at CSP for a solution of my problem?

more options

I imagine on a Joomla forum they have a workaround. Perhaps setting the header in PHP with the desired host name, which I think would replace the default one set on the server.

CSP is more modern, but might not work in IE and Edge: https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors