How to configure X-Frame-Options for widgets?

signorpini · January 14, 2015, 1:49pm

Is it possible to configure the X-Frame-Options Header in Piwik without hacking any core files?

My Problem: Our Apache Webserver is setting X-Frame-Options: SAMEORIGIN on every request.
Piwik is sending an empty X-Frame-Options Header when we are embedding a Piwik widget on some website via iframe


<iframe src="https://www.mysite.xy/piwik/index.php?module=Widgetize&action=iframe..."></iframe>

This is OK in Firefox and IE, but Chrome won’t display the iframe showing this error instead

[quote=“Multiple ‘X-Frame-Options’ headers with conflicting values ('SAMEORIGIN, ') encountered when loading ‘http://mysite.xy’. Falling back to ‘DENY’.”][/quote]

I found out this is set in core/View.php (setXFrameOptions()). But how can I configure setXFrameOptions() to always send a SAMEORIGIN header or not to send any X-Frame-Options header at all without modifying View.php?

many thanks

(Using Piwik 2.10.0 and Chrome 39.0 on a Mac)

matthieu · February 11, 2015, 1:53am

Hi there,

could you create an issue on our tracker, with steps to reproduce ? thanks!

signorpini · February 11, 2015, 12:53pm

Thanks for the reply. Will try to open an issue this week.