I am fairly inexperienced with AWS so this may be an issue of understanding site structure or intricacies between web hosts.
I used to have a site hosted with HostMonster and was able to allow the site to be referenced from an iFrame on another domain. This was achieved by adding the ALLOW-FROM option to the x-frame-options.
The site was recently moved to AWS. It is using S3, EC2, with Elastic Beanstalk. Now when I try to embed the site I get this error:
Refused to display 'http://example.com' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
Seems obvious that I have to set this option but I am not clear on how to do so.
I found this forum asking for support for X-Frame-Options. A response from AWS support confirms that S3 does not currently support X-Frame-Options.
Does this mean I am out of luck or am I just barking up the wrong tree?
I've also looked into the aws CORS header setting docs and tried allowing the origin I am embedding from and even tried allowing from * to test.
Additionally I and found this GitHub for making S3 files public. I implemented the policy and configuration they have set there but still get the same error.
If it seems like I've left out anything important please ask me about it. Like I said I'm very new to web development and am still figuring things out.
Edit:
As was pointed out it is interesting that a header with X-Frame-Options is being returned at all. Here is the full response I get when I load the page directly.
Connection:keep-alive
Content-Type:text/html; charset=utf-8
Date:Sun, 19 Jun 2016 00:31:37 GMT
Server:Apache/2.4.16 (Amazon) OpenSSL/1.0.1k-fips mod_wsgi/3.5 Python/2.7.10
transfer-encoding:chunked
X-Frame-Options:SAMEORIGIN
You have to include the enable_mod_deflate.conf file in .ebextensions with the setting "Header always unset X-Frame-Options":
enable_mod_deflate.conf
# mod_deflate configuration
<IfModule mod_deflate.c>
<IfModule mod_headers.c>
# Make surei proxies don't deliver the wrong content
Header always unset X-Frame-Options
</IfModule>
</IfModule>