- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sameorigin issue
I m getting this issue on Chrome in Authorize.Net Accept Hosted form but wrk in firefox
Refused to display 'https://mysiteurl.com/scripts/IFrameCommunicator.html#action=resizeWindow&width=1000&height=301' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
pls help on this what can i do ?
โ03-28-2018 07:01 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your browser isn't allowing the iframe communicator page to be loaded in an iFrame because your server's webserver (apache or nginx probably) is setting a response header indicating that shouldn't be allowed.
Specifically, the webserver is setting the "X-Frame-Options" header to be "sameorigin", which means the browser should only load its content in an iframe if the referring page is also on "mysiteurl.com"... and because the iframe communicator page is being loaded in an iframe inside the authorize.net page (which was loaded as an iframe on your page) the iframe communicator page is not on the same domain as the authorize.net page.
The solution is to prevent your webserver from setting that header, or set it to allow requests from authorize.net. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options, especially where it says how to configure Apache or nginx to set the header.
If anyone knows of an easier fix, I'm all ears. But so far that's the best I can find.
โ09-12-2018 04:21 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
X-Frame-Options is a header included in the response to the request to state if the domain requested will allow itself to be displayed within a frame. It has nothing to do with javascript or HTML, and cannot be changed by the originator of the request. You can't set X-Frame-Options on the iframe. That is a response header set by the domain from which you are requesting the resource . They have set the header to SAMEORIGIN in this case, which means that they have disallowed loading of the resource in an iframe outside of their domain. So you cannot embed their website into yours. Browsers when see that the response header contains X-Frame-Options: SAMEORIGIN, they check your domain and block the rendering of the <iframe>. It is a security measure to avoid clickjacking.
โ08-27-2021 12:57 AM