Removing “X-Frame-Options” header in nginx for a yandex

Question

Recently I have started using analytics tool of yandex it gives you a detailed information about your visitors even it records a video of every visitor come to visit your website... the link of the tool is: metrica.yandex.com it's totally free

anyway yandex tool provide an option called maps that shows the most places on your website clicked by the visitors so when I tried to use it

I got an error message say:

 Not possible to replay visit on the given page. Possible reasons:
 Counter code not configured
 Displaying this page in a frame is forbidden

And I'm pretty sure that the counter code it's configured good and I have putted it on the right place on my website so I visited the help page link: yandex.com/support/metrica/behavior/click-map.html

to see what's the problem so I found that

If your site is protected from being shown in an iframe (the X-Frame-Options header is used in the server settings), the collected data won't be available for viewing. To view the site's session data, you must change the server settings and add an exception for the webvisor.com domain and subdomains, as well as for your site's domain. Use the regular expression

and they give to users who use nginx a code that need to add it in the configuration file to make a maps work correctly

so I added it and this is my configuration file after adding a couple of lines

.....    
server_name _;
            location / {
                    # First attempt to serve request as file, then
                    # as directory, then fall back to displaying a 404.
                    try_files $uri $uri/ =404;
                    set $frame_options '';
                    if ($http_referer !~ '^https?:\/\/([^\/]+\.)?(www.google\.com|webvisor\.com)\/'){
                    set $frame_options 'SAMEORIGIN';
            }
                    add_header X-Frame-Options $frame_options;
    }
.....

I have changed My domain name with www.google.com

but the error it's still showing to me I don't know why but maybe I missed some step... please guys suggest me a possible solution I need this option a lot to know where I can put my ads

Answer 1

I recently encountered the same problem with Yandex Metrica. Their error message is a bit misleading, because in my case the cause was Content-Security-Policy settings, not X-Frame-Options. Check documentation for Installing a counter on a site with CSP and try to add something like the following to the nginx configuration:

add_header      Content-Security-Policy "frame-src blob: https://mc.yandex.ru https://mc.yandex.com https://mc.webvisor.com https://mc.webvisor.org";
add_header      Content-Security-Policy "child-src blob: https://mc.yandex.ru https://mc.yandex.com https://mc.webvisor.com https://mc.webvisor.org";
add_header      Content-Security-Policy "script-src 'unsafe-inline' https://yastatic.net https://mc.yandex.ru https://mc.yandex.com 'self'";

Answer 2

At the link https://yandex.com/support/metrica/behavior/click-map.html they tell the odd way, not the Content-security-policy. But as I see, the domain is webvisor.com only I think. So you can define your content-security-policy as *.webvisor.com