Refused to display in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'

angularjs asp.net-web-api google-oauth

I am developing a website that is supposed to be responsive so that people can access it from their phones. The site has got some secured parts that can be logged into using Google, Facebook, ...etc (OAuth).

The server backend is developed using ASP.Net Web API 2 and the front end is mainly AngularJS with some Razor.

For the authentication part, everything is working fine in all browsers including Android but the Google authentication is not working on iPhone and it gives me this error message

Refused to display 'https://accounts.google.com/o/openid2/auth
?openid.ns=http://specs.openid.ne…tp://axschema.org/namePerson
/last&openid.ax.required=email,name,first,last'
in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

Now as far I am concerned I do not use any iframe in my HTML files.

I googled around, but no answer got me to fix the issue.

iframes are sometimes being used by services you connect to even if it is not visible (at first sight)

Andrew Tobilko

I found a better solution, maybe it can help somebody replace "watch?v=" by "v/" and it will work

var url = url.replace("watch?v=", "v/");

You can also change that to use "embed/" instead of "v/" so a full URL would become:

<iframe width='1080' height='760' src="https://www.youtube.com/embed/dQw4w9WgXcQ" frameborder="0" allowfullscreen></iframe>

i suggest to change this answer to "embed/" because "v/" is not working anymore

Community

O.K. after spending more time on this with the help of this SO post

Overcoming "Display forbidden by X-Frame-Options"

I managed to solve the issue by adding &output=embed to the end of the url before posting to the google URL:

var url = data.url + "&output=embed";
window.location.replace(url);

actually this is for OAUTH as I stated in my original post. and still does in OAUTH 2.0. although, Google has changed its settings to use the service, so now you will specifically have to change some properties to use OAUTH 2.0 and this is the case in OWIN 3.0 middleware. Refer to this link if you are receiving a "access_denied" error message. blogs.msdn.com/b/webdev/archive/2014/07/02/…

@AliHmer Thanks a lot buddy. You saved my day :) &output=embed worked like a a charm for me.. :)

Doesn't work for Google-calendar iframe within app webview either.

how o i do this i f i wan tto display my other website inside my mobile app in a iframe

@AliHmer I have an error as A potentially dangerous Request.Path value was detected when I used &output=embed. Could give me a suggestion/solution to resolve this?

Bogdan Alexandru Militaru

Try to use

https://www.youtube.com/embed/YOUR_VIDEO_CODE

You can find all embeded code in 'Embeded Code' section and that looks like this

<iframe width="560" height="315"  src="https://www.youtube.com/embed/YOUR_VIDEO_CODE" frameborder="0" allowfullscreen></iframe>

Scott Stensland

They have set the header to SAMEORIGIN in this case, which means that they have disallowed loading of the resource in an iframe outside of their domain. So this iframe is not able to display cross domain

https://i.stack.imgur.com/pva59.png

For this purpose you need to match the location in your apache or any other service you are using

If you are using apache then in httpd.conf file.

  <LocationMatch "/your_relative_path">
      ProxyPass absolute_path_of_your_application/your_relative_path
      ProxyPassReverse absolute_path_of_your_application/your_relative_path
   </LocationMatch>

What is your_relative_path?

What is it your_relative_path?

StuperUser

If you are using iframe for vimeo, change the url from:

https://vimeo.com/63534746

to:

http://player.vimeo.com/video/63534746

It works for me.

In case someone does a quick drive by and use this solution: Please note the change from HTTPS to HTTP, a not secure protocol. Your requirements may vary but Beware. Personally I would avoid this solution. Also; HTTP is quickly going out of fashion and I would not be suprised if browsers won't allow for it at all in the near future.

Irfan Muhammad

For embeding youtube video into your angularjs page, you can simply use following filter for your video

app.filter('scrurl', function($sce) { return function(text) { text = text.replace("watch?v=", "embed/"); return $sce.trustAsResourceUrl(text); }; });

theblindprophet

I did the below changes and works fine for me.

Just add the attribute <iframe src="URL" target="_parent" />

_parent: this would open embedded page in same window.

_blank: In different tab

I don't know how relevant is that answer to the original question, but in my case, in a different context, it provided the solution

parliament

For me the fix was to go into console.developer.google.com and add the application domain to "Javascript Origins" section of OAuth 2 credentials.

double-beep

I was having the same issue implementing in Angular 9. These are the two steps I did:

Change your YouTube URL from https://youtube.com/your_code to https://youtube.com/embed/your_code. And then pass the URL through DomSanitizer of Angular. import { Component, OnInit } from "@angular/core"; import { DomSanitizer } from '@angular/platform-browser'; @Component({ selector: "app-help", templateUrl: "./help.component.html", styleUrls: ["./help.component.scss"], }) export class HelpComponent implements OnInit { youtubeVideoLink: any = 'https://youtube.com/embed/your_code' constructor(public sanitizer: DomSanitizer) { this.sanitizer = sanitizer; } ngOnInit(): void {} getLink(){ return this.sanitizer.bypassSecurityTrustResourceUrl(this.youtubeVideoLink); } }

Kevin

Little late, but this error can also be caused if you use a native application Client ID instead of a web application Client ID.

What do you mean? I also noticed that the frame works in a Safari window, but not in an app's webview's iframe, but how do you change this?

My issue was similar, when making the web application Client ID I didn't include my website's uris in two sections you put them there when making the client id in the google developers console

Dimitris Voudrias

There is a solution that worked for me, referring to the parent. After getting the url that will redirect to google authentication page, you can try the following code:

var loc = redirect_location;      
window.parent.location.replace(loc);

Peter Haddad

Thanks for the question. For YouTube iframe the first issue is the URL you have given, is it embedded URL or URL link from address bar. this error for non embed URL but if you want to give non embed URL then you need to code in "safe Pipe" like(for both non embedded or embed URL ) :

import {Pipe, PipeTransform} from '@angular/core';
import {DomSanitizer} from '@angular/platform-browser';

@Pipe({name: 'safe'})
export class SafePipe implements PipeTransform {

constructor(private sanitizer: DomSanitizer) {

}

transform(value: any, url: any): any {
    if (value && !url) {
        const regExp = /^.*(youtu.be\/|v\/|u\/\w\/|embed\/|watch\?v=|\&v=)([^#\&\?]*).*/;
        let match = value.match(regExp);
        if (match && match[2].length == 11) {
            console.log(match[2]);
            let sepratedID = match[2];
            let embedUrl = '//www.youtube.com/embed/' + sepratedID;
            return this.sanitizer.bypassSecurityTrustResourceUrl(embedUrl);
        }

     }

   }
}

it will split out "vedioId". You have to get video id then set to URL as embedded. In Html

 <div>
   <iframe width="100%" height="300" [src]="video.url | safe"></iframe>
 </div>

Angular 2/5 thanks again.

Great solution. Thank you.

Arul

add the below with URL Suffix

/override-http-headers-default-settings-x-frame-options

@NickDimou Try this linkedin.com/pulse/working-iframe-angular-thiago-adriano

Luis H Cabrejo

Had an similar issue embeding youtube chat and I figure it out. Maybe there is a similar solution for similar problem.

Refused to display 'https://www.youtube.com/live_chat?v=yDc9BonIXXI&embed_domain=your.domain.web' in a frame because it set 'X-Frame-Options' to 'sameorigin'

My webpage works with www and without it. So to make it work you need to make sure you load the one that is listed on the embed_domain= value... Maybe there is a variable your missing to tell where to embed your iframe. To fix my problem had to write a script to detect the right webpage and execute proper iframe embed domain name.

<iframe src='https://www.youtube.com/live_chat?v=yDc9BonIXXI&embed_domain=your.domain.web' width="100%" height="600" frameborder='no' scrolling='no'></iframe>

<iframe src='https://www.youtube.com/live_chat?v=yDc9BonIXXI&embed_domain=www.your.domain.web' width="100%" height="600" frameborder='no' scrolling='no'></iframe>

Understand you are not using iframes, but still there may be some variable you need to add to your syntax to tell it where the script is going to be used.

C. Cosse

On apache you need to edit security.conf:

nano /etc/apache2/conf-enabled/security.conf

and set:

Header set X-Frame-Options: "sameorigin"

Then enable mod_headers:

cd /etc/apache2/mods-enabled

ln -s ../mods-available/headers.load headers.load

And restart Apache:

service apache2 restart

And voila!

askrynnikov

If you are using iframe for Google Docs Viewer, change iframe from:

iframe src="https://docs.google.com/viewer?url=' + url_your_document

to:

iframe src="https://docs.google.com/viewer?url=' + url_your_document + '&embedded=true"

It works for me.

Sami In

Here is code which I used and displayed successfully in Iframe and I am making this code in cshtml in C#.

@if (item.DisplayValue2 != null)
{
   <div id="collapse_@item.ID" class="collapse" role="tabpanel" aria-labelledby="heading_@item.ID" data-parent="#accordion" style="">
   <div class="card-body">
      @item.DisplayValue1
   </div>
   <br /> <br />
   @{
       var url = item.DisplayValue2.Replace("watch?v=", "embed/");
     }
    <iframe width="560" height="315" src=@url frameborder="0" allowfullscreen                            style="margin-bottom: 25px; margin-left: 25px;">   
   </iframe></div>

mahdi moghimi

I test all items but this code help me:

       ?rs:embed=true

For example I want to load a pbix in my application. I use this code :

   <iframe id="pageIFrame" class="iFrame" src="http://MyServer/ReportS/powerbi/Test?rs:embed=true"></iframe>

And it works.

Nutzs

Ran into this similar issue while using iframe to logout of sub sites with different domains. The solution I used was to load the iframe first, then update the source after the frame is loaded.

var frame = document.createElement('iframe'); frame.style.display = 'none'; frame.setAttribute('src', 'about:blank'); document.body.appendChild(frame); frame.addEventListener('load', () => { frame.setAttribute('src', url); });

Feng Zhang

youtube/embed, two flavors:

https://www.youtube.com/embed/watch?v=eAxV4uO8oTU&list=RDeAxV4uO8oTU&start_radio=1 https://www.youtube.com/embed/CNG7yrHHJ5A

paste in your browser and see

the original:

https://www.youtube.com/watch?v=eAxV4uO8oTU&list=RDeAxV4uO8oTU&start_radio=1 https://www.youtube.com/watch?v=CNG7yrHHJ5A

one needs to keep "watch?V=", the other not

remon78eg

in the php file (index.php) add this line in the top

<?php
    header('Cross-Origin-Embedder-Policy: require-corp | same-site | same-origin | cross-origin');
?>

if still not work try this

<?php
    header("Access-Control-Allow-Credentials: true");
    header("Access-Control-Allow-Headers: Accept, X-Access-Token, X-Application-Name, X-Request-Sent-Time");
    header("Access-Control-Allow-Methods: GET, POST, OPTIONS");
    header("Access-Control-Allow-Origin: *");
    header('Cross-Origin-Opener-Policy: same-origin');
    header('Cross-Origin-Resource-Policy: same-site | same-origin | cross-origin');
    header('Cross-Origin-Embedder-Policy: require-corp | same-site | same-origin | cross-origin');
?>

Follow WeChat

Success story sharing

Want to stay one step ahead of the latest teleworks?

Subscribe Now

相似问题

How do I set the value property in AngularJS' ng-options?

Refused to display in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'

Follow WeChat

Want to stay one step ahead of the latest teleworks?

相似问题

Platform

Support

Contact US