Set X-Frame-Options

wyworx · April 14, 2021, 11:06am

Hi,

I’ve been using Tutor for both development and production installation for almost a year now and I’ve been really impressed on how easy it is to customize and deploy OpenEdx using Tutor. Whenever I have a question on how to accomplish something I always find an answer on the online documentation and here on the community forum until I ran into the issue I’m facing now. I’m hoping somebody or Regis can give me some guidance.

We would like other websites (domains) to be able to embed content from our Tutor installation in an HTML iframe. When testing this on a simple HTML page, it throws the following error -

Refused to display ‘https://tutorexample.com/’ in a frame because ‘X-Frame-Options’ is set to ‘sameorigin’.

It’s obvious that the solution would be to somehow change NGINX’s X-Frame-Option to ALLOW FROM some address. How do you go about doing this in Tutor?

Appreciate your time and thank you in advance.

wyworx · April 15, 2021, 4:43pm

After doing some more reading on this forum it looks like one option is to add the following to lms.conf.

/home/tutor_installation/.local/share/tutor/env/apps/nginx/lms.conf

add_header X-Frame-Options "ALLOW-FROM www.wyworx.com";
add_header Content-Security-Policy "frame-ancestors www.wyworx.com";

I stopped and restarted Tutor and it now renders the content on the iframe.

I thought I should post this solution in case anybody runs into a similar issue.

regis · April 15, 2021, 6:31pm

Thanks for posting the solution @wyworx! Are you familiar with tutor plugins? To make your changes last, you should create a plugin that implements the “nginx-lms” patch.

wyworx · April 17, 2021, 4:51pm

Thanks, Regis. I tried the following but did not seem to work. I probably am missing something.

name: tutoriframe 
version: 1.0 
patches:
  nginx-lms: |
    add_header X-Frame-Options “ALLOW-FROM www.wyworx.com”,
    add_header Content-Security-Policy “frame-ancestors www.wyworx.com”

regis · April 19, 2021, 7:23am

This plugin will almost certainly trigger nginx errors, as the lines do not end with semicolons “;”.

system · July 18, 2021, 7:24am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.