Change record status: 
Project: 
Introduced in branch: 
8.0.x
Introduced in version: 
8.0.0-beta13
Description: 

Drupal core now protects against clickjacking by default by emitting the 'X-Frame-Options: SAMEORIGIN' header. This prevents the site from being embedded in an iframe on another domain.

This should not be disruptive for contributed modules, unless a contributed module or site wants to embed the Drupal site somewhere else (e.g. for example in a Facebook application).

In that case a new Response Subscriber needs to be added that has a higher priority as the current FinishResponseSubscriber (see core.services.yml) to overwrite or remove the header - depending on the use case.

https://api.drupal.org/api/drupal/core!lib!Drupal!Core!EventSubscriber!F... is also a good example of how to write such a subscriber.

e.g. as an example for a Facebook application living at the /fb-app path:

    $path = $request->getPathInfo();

    if (strpos($path, '/fb-app/') === 0) {
      $request->headers->remove('X-Frame-Options');
    }

Do not remove the header lightly, as else your Drupal site could be embedded on other sites and then the user tricked into doing actions they don't want.

See also the related Drupal 7 change record.

Impacts: 
Site builders, administrators, editors
Module developers
Updates Done (doc team, etc.)
Online documentation: 
Not done
Theming guide: 
Not done
Module developer documentation: 
Not done
Examples project: 
Not done
Coder Review: 
Not done
Coder Upgrade: 
Not done
Other: 
Other updates done

Comments

axel.rutz’s picture

In fact in your shiny new facebook app you should not do

if (strpos($path, '/fb-app/') === 0) {
      $request->headers->remove('X-Frame-Options');
    }

but rather something like (untested)

if (strpos($path, '/fb-app/') === 0) {
      $request->headers->set('X-Frame-Options', 'ALLOW-FROM https://www.facebook.com/');
    }

Also see https://developer.mozilla.org/docs/Web/HTTP/Headers/X-Frame-Options