I came across this issue when running a wordpress web site. I tried all sorts of things to fix it and wasn't sure how, ultimately the issue was because I was using DNS forwarding with masking, and the links to external sites were not being addressed properly. i.e. my site was hosted at http://123.456.789/index.html but was masked to run at http://somewebSite.com/index.html. When i entered http://123.456.789/index.html in the browser clicking on those same links resulted in no X-frame-origins issues in the JS console, but running http://somewebSite.com/index.html did. In order to properly mask you must add your host's DNS name servers to your domain service, i.e. godaddy.com should have name servers of example, ns1.digitalocean.com, ns2.digitalocean.com, ns3.digitalocean.com, if you were using digitalocean.com as your hosting service.

试试这个东西，我认为没有人在主题中建议过这个，这将解决你70%的问题，对于其他一些页面，你必须废弃，我有完整的解决方案，但不是公开的。

添加到下面的iframe中

沙箱="允许-同源允许-脚本允许-弹出窗口允许-表单"

FWIW:

当这个“破坏者”代码出现时，我们遇到了需要杀死iFrame的情况。因此，我使用PHP函数get_headers($url);在iFrame中显示远程URL之前检查它。为了获得更好的性能，我将结果缓存到一个文件中，这样就不会每次都建立HTTP连接。

如果你在YouTube视频中遇到这个错误，不要使用完整的url，而是使用共享选项中的嵌入url。它看起来像http://www.youtube.com/embed/eCfDxZxTBW4

您还可以更换手表吗?v= with embed/ so http://www.youtube.com/watch?v=eCfDxZxTBW4变成http://www.youtube.com/embed/eCfDxZxTBW4

唯一一个有一堆答案的问题。欢迎来到这个指南，我希望我在最后期限那天晚上10:30为它工作时能有这个指南……facebook在canvas应用上做了一些奇怪的事情，好吧，你已经被警告过了。如果你还在这里，你有一个Rails应用程序将出现在Facebook Canvas后面，那么你将需要:

Gemfile:

gem "rack-facebook-signed-request", :git => 'git://github.com/cmer/rack-facebook-signed-request.git'

配置/ facebook.yml

facebook:
  key: "123123123123"
  secret: "123123123123123123secret12312"

配置/ application.rb

config.middleware.use Rack::Facebook::SignedRequest, app_id: "123123123123", secret: "123123123123123123secret12312", inject_facebook: false

配置/初始化/ omniauth.rb

OmniAuth.config.logger = Rails.logger
SERVICES = YAML.load(File.open("#{::Rails.root}/config/oauth.yml").read)
Rails.application.config.middleware.use OmniAuth::Builder do
  provider :facebook, SERVICES['facebook']['key'], SERVICES['facebook']['secret'], iframe:   true
end

application_controller.rb

before_filter :add_xframe
def add_xframe
  headers['X-Frame-Options'] = 'GOFORIT'
end

你需要一个控制器来调用Facebook的画布设置，我使用/canvas/，并使路由到这个应用程序的主SiteController:

class SiteController < ApplicationController
  def index
    @user = User.new
  end
  def canvas
    redirect_to '/auth/failure' if request.params['error'] == 'access_denied'
    url = params['code'] ? "/auth/facebook?signed_request=#{params['signed_request']}&state=canvas" : "/login"
    redirect_to url
  end
  def login
  end
end

login.html.erb

<% content_for :javascript do %>
  var oauth_url = 'https://www.facebook.com/dialog/oauth/';
  oauth_url += '?client_id=471466299609256';
  oauth_url += '&redirect_uri=' + encodeURIComponent('https://apps.facebook.com/wellbeingtracker/');
  oauth_url += '&scope=email,status_update,publish_stream';
console.log(oauth_url);
  top.location.href = oauth_url;
<% end %>

来源

配置我认为来自omniauth的例子。 宝石文件(这是关键!!)来自:slideshare things i learned… 这个堆栈问题有整个Xframe的角度，所以你会得到一个空白，如果 你不需要把这个头文件放到应用控制器中。 我的男人@rafmagana写了这个heroku指南，现在你可以用这个答案来做轨道，也可以用巨人的肩膀走路。

令人惊讶的是，这里没有人提到Apache服务器的设置(*.conf文件)或.htaccess文件本身是导致这个错误的原因。搜索你的。htaccess或Apache配置文件，确保你没有以下设置为DENY:

报头总是设置X-Frame-Options DENY

将其更改为SAMEORIGIN，使事情按预期工作:

报头总是设置X-Frame-Options SAMEORIGIN