Amazon iFrame X-Frame-Options SAMEORIGIN error

created January 17, 2014, last updated January 17, 2014.

.
closeThis post was last updated 7 years 30 days ago, some of the information contained here may no longer be actual and any referenced software versions may have been updated!

I didn’t realize that Amazon restricted access to product content in iframes with an X-Frame-Options header until yesterday (16.02.2014) when they applied the same iFrame restrictions to their admin backend Amazon Seller Central.

This made me very grumpy.

I created an eBay and Amazon admin website to allow us to consolidate order info from both merchants. It was useful to go directly from this site to the Amazon order in seller central by clicking on a button, even more useful was showing this in a fancybox iframe so the user didn’t have to leave the admin page. This worked, up until yesterday, when the iframe request is cancelled due to a :

Refused to display …. in a frame because it set ‘X-Frame-Options’ to ‘SAMEORIGIN’.

X-Frame-Options is an HTTP response header to prevent framing of pages. If the header is present the browser will refuse to render (cancel) the page in a frame depending on the values:

DENY – stops all framing
SAMEORIGIN – stops framing except for requests from the website itself.

So it looks like Amazon changed the security policy on their customer admin pages (Seller Central) yesterday to match the front end product pages and block frame request to content using the SAMEORIGIN header. There is no way around this so it is no longer possible to frame any amazon content. Boo!

The workaround is to load the content into a new _blank page and not use iframes – Hurrah!