Refused to display in a frame because it set X-Frame-Options to sameorigin

chkdk

46 Points

2 Posts

Hi,

I working in developing widget for other website to show in iframe in cross-origin. For cross-origin, I allowed in web.config as

<system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="Access-Control-Allow-Origin" value="*"/>
      </customHeaders>
    </httpProtocol>
<system.webServer>

I am using asp.net mvc application to developing widgets. Following are the iframe code for other websites:

<iframe src="https://localhost:10359/widget_page" 
frameborder="0" width="100%" height="1000" vspace="0" 
hspace="0" marginwidth="5" marginheight="5" 
scrolling="auto" allowtransparency="true">
</iframe>

Then I got error as:

Refused to display 'https://localhost:10359/widget_page' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

I googled and added header in web.config as:

<system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="Access-Control-Allow-Origin" value="*"/>
        <add name="X-Frame-Options" value="ALLOW-FROM https://example.com/"/>
      </customHeaders>
    </httpProtocol>
<system.webServer>

Now I am getting error as:

Refused to display 'https://localhost:10359/widget_page' in a frame because it set multiple 'X-Frame-Options' headers with conflicting values ('SAMEORIGIN, ALLOW-FROM https://example.com/'). Falling back to 'deny'.

Can any one has any idea how to solve it?

Thanks

.net c#asp.net-mvc-5 iframe sameorigin x-frame-options

Views: 95028
Total Answered: 5
Total Marked As Answer: 1
Posted On: 20-Jun-2017 03:34

Share:

Answers

edx 506 Points 24 Posts	You cannot display a part of websites inside an iFrame. Reason being that they send an "X-Frame-Options: SAMEORIGIN" response header. This option prevents the browser from displaying iFrames that are not hosted on the same domain as the parent page. This is a security feature to prevent click-jacking. Some details at How to show https://stackoverflow.com/questions/8700636/how-to-show-google-com-in-an-iframe in an iframe? Posted On: 20-Jun-2017 04:09
Jak 908 Points 132 Posts	Since asp.net mvc is adding 'X-Frame-Options' in header to prevent clickjacking under anti-forgery. You need to remove it first. You can do this By adding following line in Gobal.asax.cs in 'Application_Start()' `System.Web.Helpers.AntiForgeryConfig.SuppressXFrameOptionsHeader = true;` Posted On: 20-Jun-2017 05:57
Rahul M... 4916 Points 27 Posts	I think, it is dangerous to allow all page of the site to show in iframe for cross-origin. I worried by the possibility of using clickjacking for getting user credintial and other confidential data. I think, you should create filter and add it to the specific action you want to show in iframe as: `public class AllowCrossSiteIFrameAttribute : ActionFilterAttribute { public override void OnResultExecuted(ResultExecutedContext filterContext) { filterContext.HttpContext.Response.Headers.Remove("X-Frame-Options"); base.OnResultExecuted(filterContext); } }` May you can allow to the specific referrer as: `public class AllowCrossSiteIFrameAttribute : ActionFilterAttribute { public override void OnResultExecuted(ResultExecutedContext filterContext) { filterContext.HttpContext.Response.Headers.Remove("X-Frame-Options"); filterContext.HttpContext.Response.AddHeader("X-Frame-Options", "ALLOW-FROM https://example.com/"); base.OnResultExecuted(filterContext); } }` And you it as on action `[AllowCrossSiteIFrame] public ActionResult allowiframepage()` Posted On: 20-Jun-2017 06:13 great.... - xyan 16-Sep-2017 03:26
clover ... 10 Points 0 Posts	yes its working for me.Thank you `System.Web.Helpers.AntiForgeryConfig.SuppressXFrameOptionsHeader = true;` Posted On: 12-Mar-2020 05:46 It works to me. - Raj 25-Oct-2023 03:24
CHINNAK... 10 Points 0 Posts	I have Followed as like You but not working to me . can you help me? Posted On: 11-Aug-2022 06:53 Hope you got solution. thanks. - Brian 20-Mar-2024 22:58