Drupal - How to enable Drupal site to be in an iframe?
Since Drupal 7.50, core is now protected against clickjacking by default (X-Frame-Options: SAMEORIGIN).
So by default, your Drupal site can only be embedded into a site on the same domain.
To change those settings, assuming of course you understand the associated risks, follow the advice in the change record:
- If you are using a module such as Security Kit that already writes the X-Frame-Options header on its own, that setting will be automatically respected (pending the patch at #2661644: Integrate with Drupal core clickjacking defense) and Drupal core will not overwrite it. The Security Kit module provides an administrative interface for setting this header, so it's a good choice if you need to override the default Drupal core behavior and aren't sure exactly how to do it.
Alternatively, set the 'x_frame_options' variable via any standard method, for example in settings.php:
// Turn off the X-Frame-Options header entirely, to restore the previous // behavior of allowing the site to be embedded in a frame on another site. $conf['x_frame_options'] = '';
or
// Set the "DENY" option to prevent the site from ever being embedded in a // frame at all, even on this site itself. $conf['x_frame_options'] = 'DENY';
See https://developer.mozilla.org/docs/Web/HTTP/Headers/X-Frame-Options for more information on the various options this header can take.
Removing the header (as shown in the first example code snippet above) should not be done lightly, or else your Drupal site could be embedded on other sites and then the user tricked into doing actions they don't want.
If you want to remove the X-Frame-Options header in hook_page_alter() or theme preprocess functions that run later you can remove the header like this (requires PHP >= 5.3):
header_remove('X-Frame-Options');