[SOLVED] X-Frame-Options: DENY on assets

I’ve got some assets I’d like to run in an iframe in the background. This works when the project is published, but it doesn’t during development because launch.playcanvas.com has assets set to X-Frame-Options: DENY vs X-Frame-Options: SAMEORIGIN.

This makes editing and development a bit painful. It’s a bit silly because creating an iframe to a completely different domain works well (as it should) and doesn’t when the X-Frame-Options is locked down. The issue can be illustrated here:


The published version does work; the hidden iframe loads and one can see the console output “Some intensive CPU activity here…”. However, in Editor → Launch, causes a new tab to popup; the header indicates DENY. For security purpose, the nginx server could have X-Frame-Options set to SAMEORIGIN and this would alleviate the issue.

We may have made some backend header changes @Steveorevo, will look into it. Thanks so much for the heads up!


I found a quick work around was to simply host the needed assets for the iframe on an external domain. I guess one could also create a proxy project in playcanvas and just publish the assets that one needs for development but this is a bit cumbersome as the amazon cdn URL is unpredictable.

Import side note: The method getFileUrl returns a relative URL in launcher but returns an absolute URL when published. This should be consistent, and launcher needs to simply prepend window.location.origin. I.e.

// Returns 'https://s3-eu-west-1.amazonaws.com/apps.playcanvas.com/HSBSlcXy/..' at publish
// but returns '/api/assets/files/Library/Billboard/hello.html?id=656796' in launcher.

pc.app.assets.findAll('hello.html', 'html')[0].getFileUrl();

Please consider fixing this to always return a FQURL. A ticket has been created at:

Me and @yak32 investigated this and it’s going to require a bit more work than changing the X frame permissions due to the way that assets are served in the Editor/Launch tab, we’ve set them up so that they can be downloaded from the Editor

We will need to change this as well so that it has different behaviour between the launch tab and the Editor.

1 Like

Because a download request in the header; isn’t launch origin and editor origin different domains?

It currently isn’t done that way on the backend but that is what we are planning to change

1 Like

We have released an update to support assets in iframes (SAMEORIGIN for X-Frame-Options) on launch pages. Could you check it please?

I can confirm this is fixed. Screenshot attached. Great work! Thank You! Marking this as solved.


Looks like I’m not able to change this issue’s title to reflect [SOLVED], feel free to change it as/if needed.

Thanks for reporting!