Not possible to overwrite X-Frame-Options to allow for frames

[jacknojo]

Hi.

I am completely new to web development so perhaps there is some other way to solve this issue.

I have two routes

• "/" which contains an iframe pointing to the other route:
• "/form".

When loading this in my browser I am told that the "/form" content cannot be viewed. This is due to it having "X-Frame-Options: DENY".

I have tried, in the response r of the "/form" route to Dream.set_header r "X-Frame-Options" "SAMEORIGIN" but this results in two X-Frame-Options being sent, one with SAMEORIGIN and one with DENY.

Is there some way to solving this issue?

Thanks for a cool library!

[aantron]

In my recollection, Dream doesn't set X-Frame-Options by default. We had issues about that and some other headers (#48, #49), but I decided that it's best to document how to use X-Frame-Options and let the developer make the choice to use it or not, since these techniques are highly situational, incomplete, interfere with development, and the risks are also handled by other means. This resulted in the example w-content-security-policy.

I just checked by running the example 2-middleware, and the only headers it sets by default are

Content-Length: 20
Content-Type: text/html; charset=utf-8

Are you, by any chance, doing something more complex, and/or running Dream behind a reverse proxy server that might be adding headers?

[jacknojo]

I don't know why I didn't think of that. It was indeed nginx adding this header.

I have added add_header Content-Security-Policy "frame-ancestors example.com"; to my nginx configuration file and things are now working.

Thank you.

[aantron]

Great, thanks!