We encounter a question about x-frame-option issue. The way how we solve it to to add some additional lines to .htaccess file.
Generally speaking WordPress blocks x-frame feature to prevent hacking activities to its website, so X-Frame-Option usually sets to “SAMEORIGIN”
(X-Frame-Options SAMEORIGIN).
However, sometimes we need to have x-frame to be enabled in order to embed a website to somewhere. In our case is to embed a site within iframe.
We could see that if we just use http header plugin and use “allow-from” for a certain website.
It will write the following code to .htaccess file under document root folder.
<IfModule mod_headers.c>
<FilesMatch “\.(php|html)$”>
Header set X-Frame-Options “ALLOW-FROM https://wordsworthkiosk.lib.byu.edu/”
</FilesMatch>
</IfModule>
However, allow-from url feature is obsoleted. So if we just use the plugin, we will only get following result when we go to an embedded iframe site.
Basically, it shows not thing at all.
In order to make it to work, we need to use following method and don’t use http headers plugin since “allow-from url” is obsoleted. However, you will still need to use allow-from url in the .htaccess file.
The code that you will use is as follows.
<IfModule mod_headers.c>
<FilesMatch “\.(php|html)$”>
Header set X-Frame-Options “ALLOW-FROM https://wordsworthkiosk.lib.byu.edu/”
Header set Content-Security-Policy “frame-ancestors https://wordsworthkiosk.lib.byu.edu/”
</FilesMatch>
</IfModule>
“Content-Security-Policy” is used to replace “Allow-From URL”. However, both statements are needed.
Once you save the change, you will see the embedded website will show within the iframe.
