Apache on Mac OS X is configured with security in mind. Apple has chosen to ship it with a setting that causes the x-frame-options header to be sent, which has the effect of causing content hosted on a Mac OS X server to not show up inside and iframe on another site.
Well-written web apps (like WordPress) already send the x-frame-options header. My personal preference is to turn this off globally and then ensure that my web apps send it as needed.
Here’s how to disable it:
In Mac OS X 10.6, it is included in the /etc/apache2/httpd_teams_required.conf file. Edit this file in your favorite editor and find the line that reads:
<ifmodule mod_headers.c> Header set X-Frame-Options "SameOrigin" </ifmodule>
It’s obvious that Apple intends for this setting for the wiki/blog server in Mac OS X server, so let’s make sure it’s set up to still provide the protection needed by the wiki/blog server.
<ifmodule mod_headers.c> <location /groups> Header set X-Frame-Options "SameOrigin" </location> </ifmodule>
Thankfully, it looks like Mac OS X 10.7 Lion is more judicious in how this header is applied.
BTW, for those interested, I located this line originally from the terminal using this command:
$sudo grep -ir 'x-frame-options' /etc/apache2