CORS, or Cross-Origin Resource Sharing policies, prevent inline frame operation unless explicit permission is granted by the domain that resources are embedded from. This access is typically provided or prevented through the X-Frame-Options directives in the embedded sites .htaccess file. You may see errors similar to the following.
Blocked by X-Frame-Options Policy
Refused to display 'https://domain.com/' in a frame because it set 'X-Frame-Options' to 'deny'.
X-Frame-Options is a security header that helps protect websites against clickjacking attacks by specifying who is allowed to embed the site within an iframe. When a website includes the X-Frame-Options header in its HTTP response, it informs the browser whether it should allow the site to be loaded within an iframe on another domain.
The header provides three options: "DENY" (prevents any framing), "SAMEORIGIN" (allows framing only by pages from the same origin), and "ALLOW-FROM" (specifies a specific domain allowed to frame the site). By implementing X-Frame-Options, website owners can control how their content is presented within iframes, reducing the risk of clickjacking vulnerabilities and improving overall security.
Modify Header
- Log into the cPanel
NOTE: The X-Frame-Options directive needs to be set on the server being loaded in the iframe, not the requesting server.
EXAMPLE: sitea.com has an iframe attempting to load siteb.com. The X-Frame-Options directive will need to be added to siteb.com. - Navigate to the File Manager, located in the Files section
- Navigate to the site's document root
- Edit the .htaccess file
TIP: If .htaccess is not present, show hidden files in File Manager. - Add the following two lines to the top of the .htaccess file
Header always unset X-Frame-Options Header set Access-Control-Allow-Origin "https://domain.com"
REPLACE: Replace domain.com with the requesting domain.
EXAMPLE: Following the previous example, replace domain.com with sitea.com to allow sitea.com to load siteb.com in an iframe.
NOTE: More information can be found in Mozilla's Cross-Origin Resource Sharing (CORS) guide.