Error: Invalid 'X-Frame-Options' header

tomar

Invalid 'X-Frame-Options' header encountered when loading 'https://domain.com:4567/': 'ALLOW-FROM https://domain.com/' is not a recognized directive. The header will be ignored.

While loafing into iframe, getting this error. It may be an issue if it stops working completely as this header directive is already obsolete.

According MDN documents, ALLOW-FROM uri is no more a part of X-Frame-Options header.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Also, In latest version of NodeBB, it is getting used and throwing error. We tried multiple patches/subversions of version 12 and 13. But no luck.

Please share if we have any solution or workaround for the same.

baris

You need to set allow-from-uri to empty string so it uses SAMEORIGIN.

'X-Frame-Options': meta.config['allow-from-uri'] ? 'ALLOW-FROM ' + encodeURI(meta.config['allow-from-uri']) : 'SAMEORIGIN',

We will have to update the code since ALLOW-FROM seems to be deprecated.

update ALLOW-FROM · Issue #8432 · NodeBB/NodeBB

Looks like ALLOW-FROM uri is no longer a valid directive https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options https://community.nodebb.org/topic/14856/error-invalid-x-frame-options-header

GitHub (github.com)

tomar

@baris Thanks for adding this to the improvement list.

Please let me know if there is any update on the same.

Thanks

baris

@tomar https://github.com/NodeBB/NodeBB/commit/46ab2711d49db6a98502a62fc2fe39387b107603