Login issues in iframe.

[martinv]

I have this weird issue when using roundcube from a different domain in a iframe.

Roundcube loads perfectly fine in the iframe but I can't seem to login, I checked the logs couldn't find anything relevant to the issue.

The only thing i'm getting is a error in the console:

Code Select Expand

https://mail.xxxxxxx.io/?_task=login 401 (Unauthorized)

Code Select Expand

Invalid 'X-Frame-Options' header encountered when loading 'https://mail.xxxxxxx.io/': 'ALLOW-FROM https://xxxxxxx.io' is not a recognized directive. The header will be ignored.

And a toast message that says:

Code Select Expand

Invalid request, no data has been saved.

I have tried to change the X-frame-options to ALLOW FROM 'the-domain-with-iframe.com' and 'false', but that made no change.

Where would be a good place to start looking for a solution? or does someone know how to fix this?

[JohnDoh]

Not all browser support the allow-from directive. See https://caniuse.com/?search=x-frame-options.

I have tried to change the X-frame-options to ALLOW FROM 'the-domain-with-iframe.com' and 'false', but that made no change.

Setting `$config['x_frame_options'] = false;` will prevent the X-frame-options header from being sent but there are other things can prevent external sites from loading in iframes such as CSP headers.