X-Frame-Options header is not a recognized directive

MPH picture MPH · Dec 8, 2017 · Viewed 36.2k times · Source

I am using Nextcloud (on Nginx) for a while now and I want to iframe it for another website. However the header does not accept my directives.

I changed the header option in /var/www/nextcloud/lib/private/legacy/response.php into the following:

header('X-Frame-Options: ALLOW-FROM https://example.com');

However when I make an example webpage with an iframe it gives me the following error:

Invalid 'X-Frame-Options' header encountered when loading 'https://nextcloud.example.com/apps/files/': 'ALLOW-FROM https://example.com' is not a recognized directive. The header will be ignored.

Does anyone have an idea why this does not work?

Answer

R. Oosterholt picture R. Oosterholt · Nov 29, 2019

allow-from is 'obsolete'. You can use the Content-Security-Policy header instead:

header('Content-Security-Policy: frame-ancestors https://example.com');