Skip to content

Instantly share code, notes, and snippets.

@bdeleasa
Created April 14, 2016 15:19
Show Gist options
  • Save bdeleasa/80f7e61fca55507705d5cf8f86adb868 to your computer and use it in GitHub Desktop.
Save bdeleasa/80f7e61fca55507705d5cf8f86adb868 to your computer and use it in GitHub Desktop.
Wordpress plugin that removes the X-Frame-Options header to allow for domain masking.
<?php
/**
* The plugin bootstrap file
*
* This file is read by WordPress to generate the plugin information in the plugin
* admin area. This file also includes all of the dependencies used by the plugin,
* registers the activation and deactivation functions, and defines a function
* that starts the plugin.
*
* @link http://example.com
* @since 0.0.1
* @package WP_Domain_Masking
*
* @wordpress-plugin
* Plugin Name: WP Domain Masking
* Plugin URI: https://gist.github.com/bdeleasa/80f7e61fca55507705d5cf8f86adb868
* Description: Allows domain masking.
* Version: 1.0.0
* Author: Brianna Deleasa
* Author URI: http://briannadeleasa.com
* License: GPL-2.0+
* License URI: http://www.gnu.org/licenses/gpl-2.0.txt
* Text Domain: wp-domain-masking
* Domain Path: /languages
*/
// If this file is called directly, abort.
if ( ! defined( 'WPINC' ) ) {
die;
}
add_action( 'wp_head', 'wpdm_allow_iframe_embedding' );
/**
* Removes the X-Frame-Options header tag to allow domain masking.
*
* @param none
* @return null
*/
function wpdm_allow_iframe_embedding() {
header_remove("X-Frame-Options");
}
@hackaros
Copy link

How it works?

@bmcclure
Copy link

bmcclure commented Apr 17, 2018

@hackaros it works by removing the 'X-Frame-Options' header that WordPress core sets, thus allowing the site to be iframed into any other site. Note that this isn't extremely secure--it might be even better to, immediately after removing the existing header, add one back that specifies which domains to allow iframes on.

@oliviertassinari
Copy link

oliviertassinari commented Dec 13, 2019

It might not always work: "Cannot modify header information - headers already sent by".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment