error

Refused to display 'http://local.dev:8000' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

solution

With helmet

import express from "express";
import helmet from "helmet";

let app = express();
// ...
// other configs
// deny all framing
app.use(
  helmet(
    {
      frameguard: "deny"
    }
  )
)

// only allow SAMEORIGIN
app.use(
  helmet(
    {
      frameguard: "sameorigin"
    }
  )
)

// allow from one domain
app.use(
  helmet(
    {
      action: "allow-from",
      domain: "http://example.com"
    }
  )
)

// allow all origins // not working
app.use(helmet({
  frameguard: {
    action: "allow-from",
    domain: "*"
  }
}))

// other configs
// ...

Dirty header

response.header("Access-Control-Allow-Origin", "*");
response.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
response.header("X-Frame-Options", "ALLOW-FROM *");

documentation

https://helmetjs.github.io/docs/frameguard/
https://github.com/helmetjs/helmet
http://expressjs.com/

← Previous Archive Next →

Published

13 December 2016

Category

memo

Tags