X-Frame-Options header used to control whether a page can be placed in an IFRAME.
There are three possible directives for X-Frame-Options:
deny:
Not only will attempts to load the page in a frame fail when loaded from other sites, but attempts to do so will also fail when loaded from the same site.
sameorigin:
You can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.
allow-from uri:
The page can only be displayed in a frame on the specified origin. Note that in Firefox this still suffers from the same problem as sameorigin did — it doesn't check the frame ancestors to see if they are in the same origin.
.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is
not embedded into other sites.
.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
151 Posts
X-Frame-Options headers
Apr 04, 2019 03:41 PM|tippet|LINK
trying to get x-frames to work
I added <add name="X-Frame-Options" value="allow-from 'https://internalsite.com';" /> to my webconfig file.
This is an in-house developed site calling another internal site.
is it possible? I reading so many other posts about security and version of browser.
thanks
1616 Posts
Re: X-Frame-Options headers
Apr 05, 2019 06:49 AM|Jalpa Panchal|LINK
Hi tippet,
X-Frame-Options header used to control whether a page can be placed in an IFRAME.
There are three possible directives for X-Frame-Options:
Not only will attempts to load the page in a frame fail when loaded from other sites, but attempts to do so will also fail when loaded from the same site.
You can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.
The page can only be displayed in a frame on the specified origin. Note that in Firefox this still suffers from the same problem as sameorigin did — it doesn't check the frame ancestors to see if they are in the same origin.
Browser compatibility:
You could also refer below article:
151 Posts
Re: X-Frame-Options headers
Apr 09, 2019 02:10 PM|tippet|LINK
the headers need to be defined on what site?
on the site requesting the page or the sending page (giving permissions)
1616 Posts
Re: X-Frame-Options headers
Apr 10, 2019 01:27 AM|Jalpa Panchal|LINK
Hi,
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.