Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How Can I Bypass the X-Frame-Options: SAMEORIGIN HTTP Header?

I am developing a web page that needs to display, in an iframe, a report served by another company's SharePoint server. They are fine with this.

The page we're trying to render in the iframe is giving us X-Frame-Options: SAMEORIGIN which causes the browser (at least IE8) to refuse to render the content in a frame.

First, is this something they can control or is it something SharePoint just does by default? If I ask them to turn this off, could they even do it?

Second, can I do something to tell the browser to ignore this http header and just render the frame?

like image 994
Daniel Coffman Avatar asked May 06 '10 17:05

Daniel Coffman


People also ask

How do I stop X-Frame-options to SAMEORIGIN?

This doesn't seem to be documented anywhere, but if you can edit the pages you're trying to iframe (eg., they're your own pages), simply sending another X-Frame-Options header with any string at all disables the SAMEORIGIN or DENY commands.

What is X Frame bypass?

X-Frame-Bypass is a Web Component, specifically a Customized Built-in Element, which extends an IFrame to bypass the X-Frame-Options: deny/sameorigin response header. Normally such headers prevent embedding a web page in an <iframe> element, but X-Frame-Bypass is using a CORS proxy to allow this.

What is SAMEORIGIN in X-Frame-options?

X-Frame-Options:SAMEORIGIN - This means that the page can only be embedded in a frame on a page with the same origin as itself. X-Frame-Options:ALLOW-FROM - The page can only be displayed in a frame on the specified origin. This only works in browsers that support this header.


1 Answers

UPDATE: 2019-12-30

It seem that this tool is no longer working! [Request for update!]

UPDATE 2019-01-06: You can bypass X-Frame-Options in an <iframe> using my X-Frame-Bypass Web Component. It extends the IFrame element by using multiple CORS proxies and it was tested in the latest Firefox and Chrome.

You can use it as follows:

  1. (Optional) Include the Custom Elements with Built-in Extends polyfill for Safari:

    <script src="https://unpkg.com/@ungap/custom-elements-builtin"></script> 
  2. Include the X-Frame-Bypass JS module:

    <script type="module" src="x-frame-bypass.js"></script> 
  3. Insert the X-Frame-Bypass Custom Element:

    <iframe is="x-frame-bypass" src="https://example.org/"></iframe> 
like image 59
niutech Avatar answered Oct 04 '22 08:10

niutech