Refused to display 'https://iframe.videodelivery.net/' in a frame because it set 'X-Frame-Options' to 'sameorigin'

I start using “Stream” service.
(I do not use any other cloudflare service)

I set “Enter allowed origin domains separated by commas:” with *.sundaynamaste.com or online.sundaynamaste.com

And “Require Signed URLs” with “TRUE”

through web-site.

When I use normal URL, not Signed URL, It works as normal.
But with Signed URL, It have error like
Refused to display ‘https://iframe.videodelivery.net/’ in a frame because it set ‘X-Frame-Options’ to ‘sameorigin’.

I attach it on SPA (Single Page Application)

How can I solve this?

What if you remove your Allowed Origin Domains?

Same as before.

I recommend you not to remove any headers, unless you don’t mind degrading the server’s security, I suggest you include the url of the source video.

(https://static.sundaynamaste.com/manual/online_flow_like_sunna.webm?ngsw-bypass= true)

I would write it like this:

X-Frame-Options: ALLOW-FROM https://example.com/

Remember that the instruction is written according to the web server, see this, it can help you.

Your Security Headers:

I think x-frame-options is set by the video itself, so it’s not letting itself be framed in the user’s website.

The ALLOW-FROM also looks to be not recommended in the article you linked to. Not that it matters, as I don’t think it applies in this case.

1 Like

I think I had the same problem with this domain (polarisapp.xyz) and I solved the problem by enabling the video url in my headers.

Watch this:

Im use not www. but online.
It’s different.
I also use cloudfront for online.sundaynamaste.com
So Trying to set “X-Frame-Options” header.
It’s SPA so do not use web-server.

even after I set header on cloudfront, It shows same error.
https://securityheaders.com/?q=https%3A%2F%2Fonline.sundaynamaste.com

I try to find other clue.
It’s not related with security header but with TOKEN URL.
when I make a token with “the /token endpoint”, It works.
Making myself like “Generating signed tokens without calling the /token endpoint” is the problem.
I need to figure more why generating token at my side is wrong, now.

I finally solve this.

in the DOC,
The response will return pem and jwk values.

const jwkKey = '{PRIVATE-KEY-IN-JWK-FORMAT}'
const keyID = '$KEYID'

So I thought jwk is the jwkKey and pem is the keyID.
But after that, it says
you will configure the id and jwk values from step 1:

It’s totally my fault. but for next person, please change the phrase

The response will return `pem` and `jwk` values.
TO
The response will return `id`, `pem` and `jwk` values.

Otherwise people might think the “id” is ignorable thing like me.

1 Like

That syntax is not supported by any browsers (give or take 1.6% of browsers).

https://caniuse.com/mdn-http_headers_x-frame-options_allow-from

The CSP policy directive frame-ancestors should be used as an alternative. (Not really relevant to the use case in this thread, but in case anybody from the future reads the thread)

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.