Refused to display in a frame because it set X-Frame-Options to sameorigin

chkdk
chkdk
46 Points
2 Posts

Hi,

I working in developing widget for other website to show in iframe in cross-origin. For cross-origin, I allowed in web.config as

<system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="Access-Control-Allow-Origin" value="*"/>
      </customHeaders>
    </httpProtocol>
<system.webServer>

I am using asp.net mvc application to developing widgets. Following are the iframe code for other websites:

<iframe src="https://localhost:10359/widget_page" 
frameborder="0" width="100%" height="1000" vspace="0"
hspace="0" marginwidth="5" marginheight="5"
scrolling="auto" allowtransparency="true">
</iframe>

Then I got error as:

Refused to display 'https://localhost:10359/widget_page' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

I googled and added header in web.config as:

<system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="Access-Control-Allow-Origin" value="*"/>
        <add name="X-Frame-Options" value="ALLOW-FROM https://example.com/"/>
      </customHeaders>
    </httpProtocol>
<system.webServer>

Now I am getting error as:

Refused to display 'https://localhost:10359/widget_page' in a frame because it set multiple 'X-Frame-Options' headers with conflicting values ('SAMEORIGIN, ALLOW-FROM https://example.com/'). Falling back to 'deny'.

Can any one has any idea how to solve it?

Thanks

Views: 95243
Total Answered: 5
Total Marked As Answer: 1
Posted On: 20-Jun-2017 03:34

Share:   fb twitter linkedin
Answers
edx
edx
506 Points
24 Posts
         

You cannot display a part of websites inside an iFrame. Reason being that they send an "X-Frame-Options: SAMEORIGIN" response header. This option prevents the browser from displaying iFrames that are not hosted on the same domain as the parent page. This is a security feature to prevent click-jacking. Some details at How to show https://stackoverflow.com/questions/8700636/how-to-show-google-com-in-an-iframe in an iframe?

Posted On: 20-Jun-2017 04:09
Jak
Jak
908 Points
132 Posts
         

Since asp.net mvc is adding 'X-Frame-Options' in header to prevent clickjacking under anti-forgery. You need to remove it first. You  can do this By adding following line in Gobal.asax.cs in 'Application_Start()'  

System.Web.Helpers.AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
Posted On: 20-Jun-2017 05:57
Rahul Maurya
Rahul M...
4916 Points
27 Posts
         

I think, it is dangerous to allow all page of the site to show in iframe for cross-origin. I worried by the possibility of using clickjacking for getting user credintial and other confidential data. I think, you should create filter and add it to the specific action you want to show in iframe as:

public class AllowCrossSiteIFrameAttribute : ActionFilterAttribute
{
     public override void OnResultExecuted(ResultExecutedContext filterContext)
     {
            filterContext.HttpContext.Response.Headers.Remove("X-Frame-Options");
            base.OnResultExecuted(filterContext);
     }
}

May you can allow to the specific referrer as: 

public class AllowCrossSiteIFrameAttribute : ActionFilterAttribute
{
   public override void OnResultExecuted(ResultExecutedContext filterContext)
   {
      filterContext.HttpContext.Response.Headers.Remove("X-Frame-Options");
      filterContext.HttpContext.Response.AddHeader("X-Frame-Options", "ALLOW-FROM https://example.com/");
      base.OnResultExecuted(filterContext);
   }
}

And you it as on action

[AllowCrossSiteIFrame]
public ActionResult allowiframepage()
Posted On: 20-Jun-2017 06:13
great....
 - xyan  16-Sep-2017 03:26
clover test
clover ...
10 Points
0 Posts
         

yes its working for me.Thank you

System.Web.Helpers.AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
Posted On: 12-Mar-2020 05:46
It works to me.
 - Raj  25-Oct-2023 03:24
CHINNAKANNAN AJITH R
CHINNAK...
10 Points
0 Posts
         

I have Followed as like You but not working to me .

can you help me?

Posted On: 11-Aug-2022 06:53
Hope you got solution. thanks.
 - Brian  20-Mar-2024 22:58
 Log In to Chat