Magento 2 AMP extension requires proper configuration for product options iFrame to work correctly. Although security settings are considered to be an essential part of its configuration, they can sometimes cause issues. In particular, Magento allows implementing the X-Frame-Options HTTP request header to enable page rendering in a more secure way. As a result, specific errors occur that we want to point out and suggest a solution.
So, if you have faced “The loading of ‘url’ in a frame is denied by ‘X-Frame-Options’ directive set to ‘SAMEORIGIN’” error in the console, check this article to discover the cause and its solution.
What is X-Frame-Options:SAMEORIGIN
X-Frame-Options is a security header for iFrame source. It is a part of the HTTP response and is passed as a response header of a web page. It helps avoid clickjacking attacks by indicating whether or not a browser should display a page inside a <FRAME> or <IFRAME> tag.
At the same time, X-Frame-Options:SAMEORIGIN is a default Magento setting. It defines that the page can only be embedded in a frame of the same origin as the page itself. Also, it allows the iFrame content to be displayed only within the current domain. Find out more about the X-Frame-Options header.
How X-Frame-Options:SAMEORIGIN Affects AMP iFrame
As stated in the official AMP documentation, amp-iframe “must not be in the same origin as the container unless they do not allow allow-same-origin in the sandbox attribute”. Since the product option AMP iFrame is loaded from a different origin (Google AMP CDN), we cannot use X-Frame-Options:SAMEORIGIN. In order to ensure that iFrame works properly, our AMP extension deletes the header only for product options iFrame.
Why Does the iFrame Denial Result in Magento AMP Error
Despite the fact that the Plumrocket AMP extension deletes the header for product options iFrame, some server configurations always force this header for security reasons. As a result, AMP iFrame attempts to load content from a different origin, despite the fact that only the same origin is allowed.
2 Ways to Fix iFrame Error Due to “X-Frame-Options” Directive Set to “SAMEORIGIN” in Magento AMP
- Contact your hosting provider to disable the X-Frame-Options header. Afterward, you need to enable the X-Frame-Options header in Magento.
- Add the exception to the server security rules to disable the header only for product options iFrame.
If you get a 404 error after all the steps taken to fix the iFrame error, make sure the “ampiframe.php” file is located in Magento 2 webroot directory. You can get the file from the following path: