Apache on Mac OS X is configured with security in mind. Apple has chosen to ship it with a setting that causes the x-frame-options header to be sent, which has the effect of causing content hosted on a Mac OS X server to not show up inside and iframe on another site.
Well-written web apps (like WordPress) already send the x-frame-options header. My personal preference is to turn this off globally and then ensure that my web apps send it as needed.
Here’s how to disable it:
In Mac OS X 10.6, it is included in the /etc/apache2/httpd_teams_required.conf file. Edit this file in your favorite editor and find the line that reads:
<ifmodule mod_headers.c> Header set X-Frame-Options "SameOrigin" </ifmodule>
It’s obvious that Apple intends for this setting for the wiki/blog server in Mac OS X server, so let’s make sure it’s set up to still provide the protection needed by the wiki/blog server.
<ifmodule mod_headers.c> <location /groups> Header set X-Frame-Options "SameOrigin" </location> </ifmodule>
Thankfully, it looks like Mac OS X 10.7 Lion is more judicious in how this header is applied.
BTW, for those interested, I located this line originally from the terminal using this command:
$sudo grep -ir 'x-frame-options' /etc/apache2
perfect! thank you very much!
hans
It’s work with Safari only, not with firefox.
Can you tell me how make it with firefox?
@denz: This is a server-based solution, so if it works with one browser, it will work with all. You must have a cache issue with your browser.
It works, but in safari you can click on any button(like +), but in firefox it make nothing.
error :Permission denied to access property ‘AppleUnitTester’
Sorry – error :
Permission denied to access property ‘AppleUnitTester’
Hi,
I have the same problem with LionServer, the content of the iframe become empty when registering the page.
I can’t find the file to change the code, and I don’t know if it would run with it !
Do you know what to do ???
Thanks
@denz: I’m sorry, I really don’t understand your comments at all.
@Sebastien, look at the last line of my post. It refers to a command to find the name of the file where the x-frame-options header is set. I don’t have a Lion Server installation so I can’t comment on it’s location. However, that command shows that in Mac OS X 10.7.3 client it appears in /etc/apache2/httpd_devicemanagement.conf
For Lion Server you want to edit the file /etc/apache2/httpd_corecollaboration_required.conf. I simply commented-out the line that sets the X-Frame-Options. Nice about Lion: The options in the Wiki server stay intact.
RequestHeader set x-apple-service-wiki-enabled true
# Add the x-app-scheme header for https requests
RequestHeader set X-App-Scheme https env=https
# xxx
# Header set X-Frame-Options “SameOrigin”
@sven, thanks for sharing! Good info.