IIS 7 and Above
Last post Apr 10, 2019 01:27 AM by Jalpa Panchal
Apr 04, 2019 03:41 PM|tippet|LINK
trying to get x-frames to work
I added <add name="X-Frame-Options" value="allow-from 'https://internalsite.com';" /> to my webconfig file.
This is an in-house developed site calling another internal site.
is it possible? I reading so many other posts about security and version of browser.
Apr 05, 2019 06:49 AM|Jalpa Panchal|LINK
X-Frame-Options header used to control whether a page can be placed in an IFRAME.
There are three possible directives for X-Frame-Options:
Not only will attempts to load the page in a frame fail when loaded from other sites, but attempts to do so will also fail when loaded from the same site.
You can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.
The page can only be displayed in a frame on the specified origin. Note that in Firefox this still suffers from the same problem as sameorigin did — it doesn't check the frame ancestors to see if they are in the same origin.
<add name="X-Frame-Options" value="ALLOW-FROM http://www.sample2.com" />
You could also refer below article:
Apr 09, 2019 02:10 PM|tippet|LINK
the headers need to be defined on what site?
on the site requesting the page or the sending page (giving permissions)
Apr 10, 2019 01:27 AM|Jalpa Panchal|LINK
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is
not embedded into other sites.