Error: Invalid 'X-Frame-Options' header
-
Invalid 'X-Frame-Options' header encountered when loading 'https://domain.com:4567/': 'ALLOW-FROM https://domain.com/' is not a recognized directive. The header will be ignored.
While loafing into iframe, getting this error. It may be an issue if it stops working completely as this header directive is already obsolete.
According MDN documents, ALLOW-FROM uri is no more a part of X-Frame-Options header.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-OptionsAlso, In latest version of NodeBB, it is getting used and throwing error. We tried multiple patches/subversions of version 12 and 13. But no luck.
Please share if we have any solution or workaround for the same.
-
You need to set
allow-from-uri
to empty string so it usesSAMEORIGIN
.'X-Frame-Options': meta.config['allow-from-uri'] ? 'ALLOW-FROM ' + encodeURI(meta.config['allow-from-uri']) : 'SAMEORIGIN',
We will have to update the code since ALLOW-FROM seems to be deprecated.
update ALLOW-FROM · Issue #8432 · NodeBB/NodeBB
Looks like ALLOW-FROM uri is no longer a valid directive https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options https://community.nodebb.org/topic/14856/error-invalid-x-frame-options-header
GitHub (github.com)