Can I Configure My Plone Site to be Embedded via iframe?

Hi, all. I recently used Plone 5 to build an Intranet site for the company I work for, currently. The Intranet site is up and running, and the users really like it. What I need to do now, however, is embed the Plone site I built into another site as an iframe. However, when I attempt to do this, I receive the following error:

My understanding is that Plone's X-Frame-Options are set to SAMEORIGIN for security purposes, and that I would need to amend the variable or remove it altogether in order for Plone to allow itself to be embedded as an iframe. Unfortunately, I don't know how to do this or where I would edit this piece of header information within Plone. I understand the risk of clickjacking if I do this, but it is necessary for me to do and I intend to only allow one specific domain.

That said, would someone be kind enough to walk me through this process? Thanks in advance!

1 Like


I have determined that my Apache server's settings with respect to X-Frame-Options is set correctly. I have tested this by putting a Joomla built site in the exact same environment with the exact same Apache server settings. I was able to successfully embed the Joomla site into an iframe within minutes. Therefore, Plone itself is actually what's blocking me from embedding my Plone Intranet site into an iframe.

Is there anyone that can clarify where I would go within Plone to amend/remove the X-Frame-Option coding that's seemingly forcing X-Frame-Option SAMEORIGIN? I would hate to abandon Plone in favor of Joomla, especially after putting so much time into Plone, but if I can't get it to embed in an iframe like I need, I'll be forced to do migrate to Joomla.

Someone, please help!

Probably not, but:
Security setting in the browser (like Firefox) can prevent http sites from embedding https sites, can it be that?
(one of your sites uses https and the other http )

Espen --- Thanks for the reply, but that's not the issue as we strictly use Internet Explorer 11 throughout the company. It's a requirement in order for us to use mission-critical services from a core vendor of ours.

Maybe I misunderstand here; but I thought IE had the same:

Is both the site and the iframe site the same protocol (https / http ?)

... or maybe you can just add something like (not sure of syntax here, have only done this once):
<meta http-equiv="X-Frame-Options" content="allow">
in the <head> part of your theme ?

Okay, right... so, I guess what I really need to know then is where, within Plone, can I find that syntax to edit?

Appreciate the help.