Support

Hello,

can you please check the value of the option "Protect against clickjacking"? Can you please set it to No?

Where did you perform the change? On the website that holds the iframe or the one that is inside the iframe?

Just to be sure, can you please try to replace your current .htaccess file with Joomla default one and disable Admin Tools on both the website?

Do you still have the same issue?

You have two sites. The one you want to display inside an IFRAME we will call the Guest. The one which has the IFRAME element we'll call the Host.

The Guest site can control whether it wants to be displayed inside an IFRAME using the X-Frame-Options header. If that site runs on Joomla!, and you're using Admin Tools' .htaccess Maker on it you have to set Protect Against Clickjacking to No.

When you try to display a site with X-Frame-Options: SAMEORIGIN or X-Frame-Options: DENY the browser will refuse to display the site in an IFRAME and will print out an error in the developer tools. Safari prints "Refused to display 'such and such URL' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'."

This is exactly your problem. The browser tells me that it cannot load https://www.demo.dleproducts.xyz/residential/ because it set 'X-Frame-Options' to 'SAMEORIGIN'. Therefore, you need to disable "Protect Against Clickjacking" on www.demo.dleproducts.xyz to No.

Now, for completeness' sake and because this is a public ticket other people will be reading, let me talk about the Host side as well.

The Host site can also control which sites it allows to be rendered inside IFRAMES (or not at all) using the Content-Security-Policy header (also referred to as CSP). This is where things get hairy — or, to use a more pedestrian phrase, where the shit hits the fan. The CSP is an extremely powerful feature. It's also maddeningly hard to set up right. It has two features, frame-src (which pages can appear inside IFRAMEs) and frame-ancestors (which pages of the Host site can have IFRAMEs).

Admin Tools DOES NOT deal with Content-Security-Policy of Joomla–generated pages because it's such a convoluted topic. If you are using Joomla and Admin Tools' .htaccess Maker on that site please check if you have put any custom Header lines in the custom .htaccess code areas of your site which set the Content-Security-Policy header. If you have, try commenting them out (placing a # in front).

Also remember that Joomla itself can set the CSP header with the System - HTTP Headers plugin — which I have repeatedly called a Bad Idea™ long before Joomla 4.0 was released. If you have enabled that plugin, try disabling CSP (third tab) and check if there are any custom Content-Security-Policy headers (first tab) you may additionally have to remove.

I do not see any sign of this problem on your www.dlejproducts.pro site. The headers returned by your server do not include a Content-Security-Policy at all.

I hope this helped.