Overriding header "X-Frame-Options"

baze · February 10, 2016, 7:48pm

Hi,
Agent sets http header “X-Frame-Options” to “SAMEORIGIN” but is there a way to override this?

I’m using Rocky and this isn’t working:
context.setHeader("X-Frame-Options", "ALLOW-FROM My_own_domain.com" );
Instead now there are two X-Frame-Options returned and browser falls back to “DENY”.

My agent is generating small webpage that I’m trying to embed into IFrame running in my own domain and “ALLOW-FROM” is needed for this.

rogerlipscombe · February 11, 2016, 1:30pm

The very same thing came up internally a few days ago.

At the moment, there is no way to remove the extra response header.

We’ll have to fix it by reconfiguring nginx (to stop adding the header), so that it’s entirely up to the agent. I’ll nudge the relevant people…