X-Frame-Option=SAMEORIGIN doesn't let my application be visualized inside iframe
I call local server application inside iFrame. I see an empty iframe box in browser end error: "Refused to display 'http://localhost:8080/hello' in a frame because it set 'X-Frame-Options' to 'sameorigin'."
To make it work I had to remove line "response.addHeader("X-Frame-Options", "SAMEORIGIN");" from "void WebRenderer::serveBootstrap(WebResponse& response)" method.
It it a bug or there is some workaround besides code changing?
Updated by Marco Kinski 8 months ago
I would appreciate a setting for the WApplication instance which let's the developer of the app decide if it needs prevention from clickjacking or not.
I then would build two flavors of the app. One without access to security related functionality but allowed to get embeded and a unrestricted not embedable.