Can’t display content hosted by Mac OS X server in an iframe? Here’s how!

Apache on Mac OS X is configured with security in mind. Apple has chosen to ship it with a setting that causes the x-frame-options header to be sent, which has the effect of causing content hosted on a Mac OS X server to not show up inside and iframe on another site.

Well-written web apps (like WordPress) already send the x-frame-options header. My personal preference is to turn this off globally and then ensure that my web apps send it as needed.

Here’s how to disable it:

In Mac OS X 10.6, it is included in the /etc/apache2/httpd_teams_required.conf file. Edit this file in your favorite editor and find the line that reads:

<ifmodule mod_headers.c>
   Header set X-Frame-Options "SameOrigin"
</ifmodule>

It’s obvious that Apple intends for this setting for the wiki/blog server in Mac OS X server, so let’s make sure it’s set up to still provide the protection needed by the wiki/blog server.

<ifmodule mod_headers.c>
   <location /groups>
      Header set X-Frame-Options "SameOrigin"
   </location>
</ifmodule>

Thankfully, it looks like Mac OS X 10.7 Lion is more judicious in how this header is applied.

BTW, for those interested, I located this line originally from the terminal using this command:

$sudo grep -ir 'x-frame-options' /etc/apache2

 

9 thoughts on “Can’t display content hosted by Mac OS X server in an iframe? Here’s how!

  1. It works, but in safari you can click on any button(like +), but in firefox it make nothing.
    error :Permission denied to access property ‘AppleUnitTester’

  2. Hi,
    I have the same problem with LionServer, the content of the iframe become empty when registering the page.
    I can’t find the file to change the code, and I don’t know if it would run with it !

    Do you know what to do ???
    Thanks

  3. @denz: I’m sorry, I really don’t understand your comments at all.

    @Sebastien, look at the last line of my post. It refers to a command to find the name of the file where the x-frame-options header is set. I don’t have a Lion Server installation so I can’t comment on it’s location. However, that command shows that in Mac OS X 10.7.3 client it appears in /etc/apache2/httpd_devicemanagement.conf

  4. For Lion Server you want to edit the file /etc/apache2/httpd_corecollaboration_required.conf. I simply commented-out the line that sets the X-Frame-Options. Nice about Lion: The options in the Wiki server stay intact.

    RequestHeader set x-apple-service-wiki-enabled true
    # Add the x-app-scheme header for https requests
    RequestHeader set X-App-Scheme https env=https
    # xxx
    # Header set X-Frame-Options “SameOrigin”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.