Set X-Frame-Options

Hi,

I’ve been using Tutor for both development and production installation for almost a year now and I’ve been really impressed on how easy it is to customize and deploy OpenEdx using Tutor. Whenever I have a question on how to accomplish something I always find an answer on the online documentation and here on the community forum until I ran into the issue I’m facing now. I’m hoping somebody or Regis can give me some guidance.

We would like other websites (domains) to be able to embed content from our Tutor installation in an HTML iframe. When testing this on a simple HTML page, it throws the following error -

Refused to display ‘https://tutorexample.com/’ in a frame because ‘X-Frame-Options’ is set to ‘sameorigin’.

It’s obvious that the solution would be to somehow change NGINX’s X-Frame-Option to ALLOW FROM some address. How do you go about doing this in Tutor?

Appreciate your time and thank you in advance.

After doing some more reading on this forum it looks like one option is to add the following to lms.conf.

/home/tutor_installation/.local/share/tutor/env/apps/nginx/lms.conf

add_header X-Frame-Options "ALLOW-FROM www.wyworx.com";
add_header Content-Security-Policy "frame-ancestors www.wyworx.com";

I stopped and restarted Tutor and it now renders the content on the iframe.

I thought I should post this solution in case anybody runs into a similar issue.

1 Like

Thanks for posting the solution @wyworx! Are you familiar with tutor plugins? To make your changes last, you should create a plugin that implements the “nginx-lms” patch.

Thanks, Regis. I tried the following but did not seem to work. I probably am missing something.

name: tutoriframe 
version: 1.0 
patches:
  nginx-lms: |
    add_header X-Frame-Options “ALLOW-FROM www.wyworx.com”,
    add_header Content-Security-Policy “frame-ancestors www.wyworx.com”

This plugin will almost certainly trigger nginx errors, as the lines do not end with semicolons “;”.