X-Frame-options The response header is used to prevent clickjacking . All queries in Liferay by default have this header set to DENY for all external URLs, that is, the Liferay site cannot be iFramed or embedded in the iframe from any site other than the Liferay site with the same domain.
Assuming you are using Liferay Version 6.2.x, you can use two approaches so Liferay can be iFramed:
Approach-I
Disable the http.header.secure.x.frame.options property to portal -ext.properties:
http.header.secure.x.frame.options=false
By default, this is true .
Approach II (recommended)
Add the page URL to the http.header.secure.x.frame.options.* portal-ext.properties in portal-ext.properties so that only a specific URL can be embedded in the iframe, and not on the entire site.
Where * must be replaced with any positive integer value.
In some examples, note that each URL is in a separate property:
http.header.secure.x.frame.options.1=/web/guest/home http.header.secure.x.frame.options.2=/myPortletPageToBeIframed http.header.secure.x.frame.options.10=/group/mySite/MyPageInIframe
The second approach is recommended because it allows only certain iFramed pages to reduce the risk of clicking on other pages.