I'm working with the dev version of Laravel (4.1.*) and there is a new default configuration that I don't want : X-Frame-Options: SAMEORIGIN
For the moment I disable it by deleting one line in Illuminate\Http\FrameGuard.php
I'm looking for a better solution. I've try in the filtre.php file :
App::after(function($request, $response) {
$response->header('X-Frame-Options', 'ALLOW-ALL');
});
But it just adds the option (X-Frame-Options:ALLOW-ALL, SAMEORIGIN
), whereas I need an override.
Laravel doesn't provide any configuration to disable this functionality.
According to Taylor Otwell, the only way to bypass it is by adding the following line into the start file:
App::forgetMiddleware('Illuminate\Http\FrameGuard');
The dirty solution is to comment the guilty line:
$response->headers->set('X-Frame-Options', 'SAMEORIGIN', false);
Edit (Jan 29th 2014): new info from Taylor Otwell on GitHub about next Laravel's policy.
Removing this by default in 4.2. Should be in an after filter - will leave FrameGuard class so people can add the middleware manually if they want.
The third parameter of the header
method should serve your needs.