As documented (https://www.drupal.org/node/2735873) Drupal comunity removed the possibility to embedd a Drupal site into an external frame to avoid clickjacking.
The problem
Basically you can not put an external Drupal website into an iFrame anymore, if you try to embedd a website with X-Frame-Options restrictions you will get a browser console error stating something like this
because it set ‘X-Frame-Options’ to ‘sameorigin’
This behavior is obtained in drupal_deliver_html_page (in common.inc) in which it is checked what I show you below:
// By default, do not allow the site to be rendered in an iframe on another
// domain, but provide a variable to override this. If the code running for
// this page request already set the X-Frame-Options header earlier, don't
// overwrite it here.
$frame_options = variable_get('x_frame_options', 'SAMEORIGIN');
if ($frame_options && is_null(drupal_get_http_header('X-Frame-Options'))) {
drupal_add_http_header('X-Frame-Options', $frame_options);
}
To see your Drupal website displayed into a frame of an external website you must change X-Frame-Options (or remove it).
The solution
Although Drupal documentation (https://www.drupal.org/node/2735873) explains that you can remove the X-Frame-Options header via the page_alter, I discovered that under certain conditions this strategy does not work at all.
In my case I was able to surf the site from a Frame only if I was logged in with an active session.
To achieve a better solution, my suggestion is to modify the Drupal variable x_frame_options before the drupal_deliver_html_page is called.
I did this (and it works like charme) via page_delivery_callback_alter, where I set the variable to FALSE under certain satisfited conditions (i.e. the page is requested from a whitelist domain).
function MYMODULENAME_page_delivery_callback_alter(&$delivery_callback) {
$domains = variable_get('ur_com_xframe_allowed',array('http://www.myalloweddomain.xxx/'));
//removing frameset limitation for certain referrers
if(in_array($_SERVER['HTTP_REFERER'],$domains)){
//setting the variable to false in order to avoid a future setting of the header
variable_set('x_frame_options', FALSE);
} else {
//default behavior
variable_set('x_frame_options', 'SAMEORIGIN');
}
}
Hope this help.