Allowing Drupal 7.50 sites to be within an iframe

Following Drupal 7.50 upgrade, a security measure was introduced to avoid Drupal pages to be inserted in an iframe by default, causing the content not being displayed and having this error on the console:

Refused to display 'https://<site>' in a frame because it set 'X-Frame-Options' to 'SameOrigin'.

Since we don't consider a good security measure revert back all the sites to previous configuration, this will be something up to site admins.In this tutorial we are going to see how it can be done properly.


First of all, you need to install 'Security Kit' module. Version 1.9 does not solve the problem, so I prepared a new version with the patch already applied. You can download it here. When version 1.10 comes, that will be the recommended option.

Once the module is installed and enabled, go to configuration. It is under System -> Security Kit. Now go down until you find Clickjacking group. Select Disabled and Save configuration.

Once it is saved, clear all caches and you should be able to see your Drupal site within the iframe.

* We didn't test how the rest of the parameters behave with Drupal infrastructure, so please leave them with their default values.


You are here