Hello,
I have used How to Get Help search.
I also went through related discussions on the forums (about X-Frame-Options, iframes, and CSP headers). While they provide useful context, they don’t provide a ready-to-use solution for my setup. My environment is Ubuntu 24.04.2 LTS with Tutor 20.0.0 (Teak), running with LMS on healthyorg.eu, Studio on studio.healthyorg.eu, and MFEs on apps.healthyorg.eu. The threads I found mostly focus on older Tutor versions with Nginx or different configurations, so I’m not sure how to correctly apply those fixes in my case.
I’m deploying Open edX using Tutor 20.0.0 with the following setup:
-
LMS:
https://healthyorg.eu -
MFE apps:
https://apps.healthyorg.eu -
Tutor deployment on Ubuntu 24.04.2 LTS Caddy as reverse proxy
When opening a course unit inside the Learning MFE, the iframe with LMS content fails to load correctly.
Here is a sample request/response:
Request:
URL: https://healthyorg.eu/xblock/block-v1:OpenedX+DemoX+DemoCourse+type@vertical+block@78b75020d3894fdfa8b4994f97275294
Referer: https://apps.healthyorg.eu/
Response headers:
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Vary: Cookie, Accept-Language, origin, Accept-Encoding
Status: 200
The iframe is blocked because the LMS sends X-Frame-Options: SAMEORIGIN, but the request is coming from a different subdomain (apps.healthyorg.eu).
I have already set in Tutor config:
CSRF_TRUSTED_ORIGINS=["https://healthyorg.eu","https://apps.healthyorg.eu"]
CORS_ORIGIN_WHITELIST=["https://apps.healthyorg.eu"]
SESSION_COOKIE_DOMAIN=".healthyorg.eu"
CSRF_COOKIE_DOMAIN=".healthyorg.eu"
But the issue persists.
My question:
Is it with X-Frame-Options: SAMEORIGIN issue?
If so how to solve it
How can I configure LMS so that the XBlocks (student_view) can be embedded correctly inside the MFE iframe (cross-subdomain)?
Any guidance on the correct Tutor/edx-platform settings for this scenario would be very helpful.
Thank you!