Okta Access Gateway Application Unable to Display Page in iFrame With "Refused to display in a frame because it set 'X-Frame-Options' to 'deny'" Error

An OAG application is failing to render a resource in iFrame with browser Developer Tools showing an error, such as:

Refused to display '(URL)/' in a frame because it set 'X-Frame-Options' to 'deny'.

• Okta Access Gateway (OAG)

The back-end application's response includes the header "X-Frame-Options: deny", which tells the client browser not to load that resource in iFrame.

• In this example, the issue is occurring because the back-end application's response includes the "X-Frame-Options: deny" header. This should be validated with the application team to understand why it is returning this header and whether anything can be done on the application side to change this part of its response.
• On the OAG side, a potential workaround would be to add the following directive to the policy for the relevant resource: 

proxy_hide_header X-Frame-Options;

• This directive tells OAG to hide the "X-Frame-Options" response header (being sent by the back-end application) in OAG's response to the front-end client. As a result, the client may not see "X-Frame-Options: Deny" in the response headers, so the client browser will not complain about trying to render the resource in iFrame.

• If the issue persists or does not seem to be related to the back-end application sending "X-Frame-Options: Deny", consider reviewing the following:
  • OAG: Unable to SSO in an iframe when Okta Session is Valid 
  • Trusted Origins for iFrame embedding