Drupal 7 blocks external frame due to X-Frame-Options

As documented (https://www.drupal.org/node/2735873) Drupal comunity removed the possibility to embedd a Drupal site into an external frame to avoid clickjacking.

The problem

Basically you can not put an external Drupal website into an iFrame anymore, if you try to embedd a website with X-Frame-Options restrictions you will get a browser console error stating something like this

because it set ‘X-Frame-Options’ to ‘sameorigin’

This behavior is obtained in drupal_deliver_html_page (in common.inc) in which it is checked what I show you below:

To see your Drupal website displayed into a frame of an external website you must change X-Frame-Options (or remove it).

The solution

Although Drupal documentation (https://www.drupal.org/node/2735873) explains that you can remove the X-Frame-Options header via the page_alter, I discovered that under certain conditions this strategy does not work at all.

In my case I was able to surf the site from a Frame only if I was logged in with an active session.

To achieve a better solution, my suggestion is to modify the Drupal variable x_frame_options before the drupal_deliver_html_page is called.
I did this (and it works like charme) via page_delivery_callback_alter, where I set the variable to FALSE under certain satisfited conditions (i.e. the page is requested from a whitelist domain).

Hope this help.

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *