4

I'm trying to conditionally unset X-Frame-Options in an .htaccess file if the request URL begins with /store. This is the code I am working with in .htaccess:

# Allow store iframe to be loaded from all locations
SetEnvIf Request_URI "^/store" iframe
Header always unset X-Frame-Options env=iframe

But this isn't working and the X-Frame-Options header continues to be sent.

The web server is running Apache 2.2.

If I remove the SetEnvIf line and the env=iframe part of the third line the X-Frame-Options header is removed. What is wrong with my SetEnvIf condition?

MrWhite
  • 12,647
  • 4
  • 29
  • 41
Chris
  • 273
  • 2
  • 5
  • 9
  • Your `SetEnvIf` directive looks OK. (I would be surprised if mod_setenvif was not enabled, since it is one of the standard Apache modules - but wouldn't you get a 500 error if it wasn't available?) Are you performing any URL rewrites? Try removing the `always` keyword - although that probably is not the problem given your last paragraph. – MrWhite Jan 20 '18 at 19:49
  • Just checked via apachectl and mod_setenvif is loaded. No 500 errors are occurring so that would also suggest mod_setenvif is working ok, as @MrWhite said. We do have some rewrites in .htaccess to route requests to index.php, but presumably Request_URI would still remain constant. Is it possible to return Request_URI in a custom header to identify what value Request_URI actually has? That might help with debugging. – Chris Jan 20 '18 at 20:13
  • As you suggest, try assigning it to another environment variable to check... `SetEnvIf Request_URI "(.*)" MYURI=$1`. And read `MYURI` in your application. – MrWhite Jan 20 '18 at 20:17
  • ...and to assign it to a custom header: `Header set X-Test %{MYURI}e` – MrWhite Jan 20 '18 at 20:26
  • 1
    I did the test header and it turns out the Request_URI is /index.php: `X-Test => /index.php` so it does seem our rewrite rules are the cause of this. – Chris Jan 21 '18 at 19:24
  • can't you do this "without .htaccess"? As in, aren't you the admin of the site? – Daniel Ferradal Jan 22 '18 at 13:36
  • Yes, that's possible - i've done it through PHP for the time being but wanted to know if it could be done through .htaccess with a conditional rule. – Chris Jan 22 '18 at 13:38

0 Answers0