X-Frame-Options blocks Drupal uploads

2011-07-24 00:00:00 +0100

Recently I’ve added X-Frame-Options flag to all my websites, including this one. A while after I noticed that file attachment uploads in Drupal hang and never complete. It took me a while to find out that these two are related. X-Frame-Options is a HTTP header (or META flag) that makes clickjacking attacks a bit more difficult. Basically, it prevents the protected website from being placed in a frame — a task usually also performed with a dedicated JavaScript snippets called “frame busters”.

But, hey, does Drupal use frames for file uploads? As weird as it sounds, it looks like it does, because when I was watching Chrome JavaScript console during the upload I saw a message saying that it cannot display a frame because of X-Frame-Options settings. Which was in turn set to most restrictive option “deny”. Solution was to reset it to “sameorigin”. After I reloaded Apache (the flag is set using mod_headers), uploads started to work again.