X-Frame-Options header used to control whether a page can be placed in an IFRAME.
There are three possible directives for X-Frame-Options:
deny:
Not only will attempts to load the page in a frame fail when loaded from other sites, but attempts to do so will also fail when loaded from the same site.
sameorigin:
You can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.
allow-from uri:
The page can only be displayed in a frame on the specified origin. Note that in Firefox this still suffers from the same problem as sameorigin did — it doesn't check the frame ancestors to see if they are in the same origin.
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is
not embedded into other sites.
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
141 Posts
X-Frame-Options headers
Apr 04, 2019 03:41 PM|tippet|LINK
trying to get x-frames to work
I added <add name="X-Frame-Options" value="allow-from 'https://internalsite.com';" /> to my webconfig file.
This is an in-house developed site calling another internal site.
is it possible? I reading so many other posts about security and version of browser.
thanks
1042 Posts
Re: X-Frame-Options headers
Apr 05, 2019 06:49 AM|Jalpa Panchal|LINK
Hi tippet,
X-Frame-Options header used to control whether a page can be placed in an IFRAME.
There are three possible directives for X-Frame-Options:
Not only will attempts to load the page in a frame fail when loaded from other sites, but attempts to do so will also fail when loaded from the same site.
You can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.
The page can only be displayed in a frame on the specified origin. Note that in Firefox this still suffers from the same problem as sameorigin did — it doesn't check the frame ancestors to see if they are in the same origin.
Browser compatibility:
You could also refer below article:
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
141 Posts
Re: X-Frame-Options headers
Apr 09, 2019 02:10 PM|tippet|LINK
the headers need to be defined on what site?
on the site requesting the page or the sending page (giving permissions)
1042 Posts
Re: X-Frame-Options headers
Apr 10, 2019 01:27 AM|Jalpa Panchal|LINK
Hi,
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.