Contrib.social

Should "iFrame domain" also set "X-Frame-Options" header

Open on Drupal.org →
Created on 18 August 2019, over 5 years ago
Updated 24 April 2024, 9 months ago

Imagine a scenario, where the main website is served at https://example.com, and the iFrame domain options is set to an alias; https://oembed.example.com

This way when media on a page is viewed, the markup on https://example.com would be something like:

<iframe src="https://oembed.example.com/media/oembed?url=https%3A//youtu.be/Dc3LpT69crc&amp;max_width=0&amp;max_height=0&amp;hash=J3reigEh1oul-MNqUBBvVbfHUo1eI54gZryZJT22g1E" frameborder="0" allowtransparency width="480" height="270" class="media-oembed-content"></iframe>

Out-of the box, this fails with an error:

Refused to display 'https://oembed.example.com/media/oembed?url=https%3A//youtu.be/Dc3LpT69c...' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

Unless an appropriate X-Frame-Options header is set, the iframe content will not load.

Should this be an optional setting, addition to iFrame domain in Media settings > Security?

    $form['security']['x_frame_options'] = [
      '#type' => 'checkbox',
      '#title' => $this->t('Set HTTP header: X-Frame-Options: allow-from {IFRAME_DOMAIN}'),
      '#default_value' => $this->config('media.settings')->get('x_frame_options'),
      '#description' => $this->t('If the content served from iFrame domain is not displayed try enabling this option.'),
      '#states' => [
        'invisible' => [
          ':input[name="iframe_domain"]' => ['empty' => TRUE],
        ],
      ],
    ];

Then set the HTTP header in an EventSubscriber:

  public function onKernelResponse(FilterResponseEvent $event) {
    $iframe_domain = $this->config->get('iframe_domain', '');
    $x_frame_options = $this->config->get('x_frame_options', 0);

    if ($iframe_domain !== '' && (bool) $x_frame_options) {
      $response = $event->getResponse();
      $response->headers->set('X-Frame-Options', "allow-from ${iframe_domain}");
    }
  }
🐛 Bug report
Status

Active

Version

11.0 🔥

Component
Media 

Last updated about 14 hours ago

Created by

🇩🇰Denmark osman Copenhagen

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024