I have this weird issue when using roundcube from a different domain in a iframe.
Roundcube loads perfectly fine in the iframe but I can't seem to login, I checked the logs couldn't find anything relevant to the issue.
The only thing i'm getting is a error in the console:
https://mail.xxxxxxx.io/?_task=login 401 (Unauthorized)
Invalid 'X-Frame-Options' header encountered when loading 'https://mail.xxxxxxx.io/': 'ALLOW-FROM https://xxxxxxx.io' is not a recognized directive. The header will be ignored.
And a toast message that says:
Invalid request, no data has been saved.
I have tried to change the X-frame-options to ALLOW FROM 'the-domain-with-iframe.com' and 'false', but that made no change.
Where would be a good place to start looking for a solution? or does someone know how to fix this?
Not all browser support the allow-from directive. See https://caniuse.com/?search=x-frame-options.
QuoteI have tried to change the X-frame-options to ALLOW FROM 'the-domain-with-iframe.com' and 'false', but that made no change.
Setting `$config['x_frame_options'] = false;` will prevent the X-frame-options header from being sent but there are other things can prevent external sites from loading in iframes such as CSP headers.