X-Frame-Options headersRSS

3 replies

Last post Apr 10, 2019 01:27 AM by Jalpa Panchal

  • X-Frame-Options headers

    Apr 04, 2019 03:41 PM|tippet|LINK

    trying to get x-frames to work

    I added <add name="X-Frame-Options" value="allow-from 'https://internalsite.com';" /> to my webconfig file.

    This is an in-house developed site calling another internal site.

    is it possible? I reading so many other posts about security and version of browser.

    thanks

  • Re: X-Frame-Options headers

    Apr 05, 2019 06:49 AM|Jalpa Panchal|LINK

    Hi tippet,

    X-Frame-Options header used to control whether a page can be placed in an IFRAME.

    There are three possible directives for X-Frame-Options:

    • deny:

    Not only will attempts to load the page in a frame fail when loaded from other sites, but attempts to do so will also fail when loaded from the same site.

    • sameorigin:

     You can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.

    • allow-from uri:

    The page can only be displayed in a frame on the specified origin. Note that in Firefox this still suffers from the same problem as sameorigin did — it doesn't check the frame ancestors to see if they are in the same origin.

    <httpProtocol>
    <customHeaders>
    <add name="X-Frame-Options" value="ALLOW-FROM http://www.sample2.com" />
    </customHeaders>
    </httpProtocol>

    Browser compatibility:

    You could also refer below article:

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: X-Frame-Options headers

    Apr 09, 2019 02:10 PM|tippet|LINK

    the headers need to be defined on what site?

    on the site requesting the page or the sending page (giving permissions)

  • Re: X-Frame-Options headers

    Apr 10, 2019 01:27 AM|Jalpa Panchal|LINK

    Hi,

    The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.