As of Backdrop 1.9.0, core now protects against click-jacking by default by emitting the 'X-Frame-Options: SAMEORIGIN' header. This prevents the site from being embedded in an iframe on another domain.
This should not be disruptive for contributed modules or existing sites, unless a contributed module or site wants to embed the Backdrop site somewhere else (e.g. for example in a Facebook application). In the case where you do need to override this behavior, methods for doing so are described below.
See also the related Drupal 7 change record.
How to override the default behavior
-
Open the "system.core.json" configuration file in your site's configuration directory. At the bottom of this file there is a line containing
"x_frame_options": "SAMEORIGIN"
. Change this option to"x_frame_options": false
to disable setting the header, or use whatever value you would like to be set instead. - If you are using a module that already writes the X-Frame-Options header on its own, that setting will be automatically respected and Backdrop core will not overwrite it.
- You can also set the 'system.core.x_frame_options' setting via an update hook, for example in a custom module:
<?php
function modulename_update_1000() {
$config = config('system.core');
$config->set('x_frame_options', '');
$config->save();
}
?>or
<?php
function modulename_update_1000() {
$config = config('system.core');
$config->set('x_frame_options', 'DENY');
$config->save();
}
?>See https://developer.mozilla.org/docs/Web/HTTP/Headers/X-Frame-Options for more information on the various options this header can take.
Removing the header (as shown in the first example code snippet above) should not be done lightly, or else your Drupal site could be embedded on other sites and then the user tricked into doing actions they don't want.
- If you want to remove the X-Frame-Options header in theme preprocess functions that run later you can remove the header like this:
<?php
backdrop_set_http_header('X-Frame-Options', NULL);
?>