Sometimes when you try to load a website into an iFrame, you get this weird error that says “Blocked by X-Frame-Options Policy”.
Firefox prevented this page from loading in this context because the page has an X-Frame-Options policy that disallows it.
This error occurs because Firefox does not allow websites to be opened inside an iFrame for security purposes.
If you check your Chrome Developers Tool console, you will find this error:
Load denied by X-Frame-Options: “SAMEORIGIN” from “site”, site does not permit cross-origin framing from “site”.
These tools try to load your website in an iframe to test its responsiveness. So when this error occurs you wonder if something is wrong with your website. But it’s not the case. It’s the browser preventing this from working.
How to Fix the X-Frame Options Policy
There’s a workaround that will allow your websites to be run inside an iFrame and you should be able to use all those responsiveness tools.
Here’s how you can do it:
For Linux Servers and Hosting Accounts:
For Linux web servers, the X-frame-options header is set by default to “sameorigin” which does not allow the website data to be communicated via iframes.
In order to remove the x-frame-options, add the following line to the .htaccess file for the website that you want to allow remote access to:
Header always unset X-Frame-Options
For Windows Servers and Hosting:
In Windows web servers, the X-frame-options are not set by default. Which means that other apps and access your website’s data and load it in the iframe.
In case it has been blocked:
- Open the Internet Information Services (IIS) manager
- Select the site you want to remove the header from
- Double-click the HTTP Response Headers option in the middle
- Remove the X-frame-options header
Alternate Solution: Install “Ignore X-Frame-Options Header” Firefox Add-on
This is a Firefox add-on that can be used to achieve the same results if you do not have access to the web server.
Installing this Add-on will let you bypass the x-frame-options policy and allow the website to be loaded in the iframe.
These are the two methods to bypass the frame options policy and let other apps access your website.