Knowledge Base

How to configure frames with X-Frame-Options header

This article describes how to configure access to frame content using the X-Frame-Options header.

Loading frame content

When you try to view a web page that includes one or more frames, you may experience an issue where the frame content does not load.

For example, in the Mozilla Firefox web browser, you see only a blank area where the frame content should appear on the page. Additionally, the Developer Tools console displays an error message that resembles the following:

Load denied by X-Frame-Options: "sameorigin" from "https://example.com/", site does not permit cross-origin framing from "https://example.com/test.html"

In the Google Chrome browser, you see the following content:

Google Chrome - frame load error message

Additionally, the Developer Tools console displays an error message that resembles the following:

Refused to display 'https://example.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

These types of problems occur when a web server sends an X-Frame-Options HTTP header whose value is one of the following:

  • sameorigin: When the X-Frame-Options header is set to sameorigin, content can only be loaded in a frame that has the same origin as the page itself. For example, if the server at example-1.com sends the X-Frame-Options header set to sameorigin, then a page at example-2.com cannot load content from example-1.com in a frame.
  • deny: When the X-Frame-Options header is set to deny, content cannot be loaded in a frame at all.

Configuring the X-Frame-Options header

At A2 Hosting, the default configuration for the X-Frame-Options header depends on the type of hosting account that you have.

Linux hosting accounts

For Linux hosting accounts, the X-Frame-Options header is sent by default with the value sameorigin. Therefore, if you want to share content between multiple sites that you control, you must disable the X-Frame-Options header. To do this, add the following line to the .htaccess file in the directory where you want to allow remote access:

Header always unset X-Frame-Options

To verify that the server is not sending the X-Frame-Options header, you can use the curl command. Type the following command at the command line, replacing example.com with your own domain name:

curl -I http://example.com
Windows hosting accounts

For Windows hosting accounts, the X-Frame-Options header is not sent by default. Therefore, if you want to share content between multiple sites that you control, no extra configuration is necessary. However, if you do want to restrict loading content between sites, you must send the X-Frame-Options header. To do this, add the following lines to the web.config file in the directory where you want to restrict remote access:

<configuration> <system.webServer> <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="sameorigin" /> </customHeaders> </httpProtocol> </system.webServer> </configuration>
If the web.config file already exists in the directory, you may only need to add the section or section.

More Information

For more information about the X-Frame-Options header, please visit https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options.