Override HTTP header's default settings (X-FRAME-OPTIONS)

55.2k views Asked by At

I'm working with the dev version of Laravel (4.1.*) and there is a new default configuration that I don't want : X-Frame-Options: SAMEORIGIN

For the moment I disable it by deleting one line in Illuminate\Http\FrameGuard.php

I'm looking for a better solution. I've try in the filtre.php file :

App::after(function($request, $response) {
   $response->header('X-Frame-Options', 'ALLOW-ALL');
});

But it just adds the option (X-Frame-Options:ALLOW-ALL, SAMEORIGIN), whereas I need an override.

2

There are 2 answers

6
Fractaliste On BEST ANSWER

Laravel doesn't provide any configuration to disable this functionality.

According to Taylor Otwell, the only way to bypass it is by adding the following line into the start file:

App::forgetMiddleware('Illuminate\Http\FrameGuard');

The dirty solution is to comment the guilty line:

$response->headers->set('X-Frame-Options', 'SAMEORIGIN', false);

Edit (Jan 29th 2014): new info from Taylor Otwell on GitHub about next Laravel's policy.

Removing this by default in 4.2. Should be in an after filter - will leave FrameGuard class so people can add the middleware manually if they want.

1
peaceman On

The third parameter of the header method should serve your needs.