Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How Can I Bypass the X-Frame-Options: SAMEORIGIN HTTP Header?

Tags:

http

asp.net

x-frame-options

sharepoint

I am developing a web page that needs to display, in an iframe, a report served by another company's SharePoint server. They are fine with this.

The page we're trying to render in the iframe is giving us X-Frame-Options: SAMEORIGIN which causes the browser (at least IE8) to refuse to render the content in a frame.

First, is this something they can control or is it something SharePoint just does by default? If I ask them to turn this off, could they even do it?

Second, can I do something to tell the browser to ignore this http header and just render the frame?

like image 994
Daniel Coffman Avatar asked May 06 '10 17:05

Daniel Coffman

People also ask

How do I stop X-Frame-options to SAMEORIGIN?

This doesn't seem to be documented anywhere, but if you can edit the pages you're trying to iframe (eg., they're your own pages), simply sending another X-Frame-Options header with any string at all disables the SAMEORIGIN or DENY commands.

What is X Frame bypass?

X-Frame-Bypass is a Web Component, specifically a Customized Built-in Element, which extends an IFrame to bypass the X-Frame-Options: deny/sameorigin response header. Normally such headers prevent embedding a web page in an <iframe> element, but X-Frame-Bypass is using a CORS proxy to allow this.

What is SAMEORIGIN in X-Frame-options?

X-Frame-Options:SAMEORIGIN - This means that the page can only be embedded in a frame on a page with the same origin as itself. X-Frame-Options:ALLOW-FROM - The page can only be displayed in a frame on the specified origin. This only works in browsers that support this header.

1 Answers

UPDATE: 2019-12-30

It seem that this tool is no longer working! [Request for update!]

UPDATE 2019-01-06: You can bypass X-Frame-Options in an <iframe> using my X-Frame-Bypass Web Component. It extends the IFrame element by using multiple CORS proxies and it was tested in the latest Firefox and Chrome.

You can use it as follows:

  1. (Optional) Include the Custom Elements with Built-in Extends polyfill for Safari:

    <script src="https://unpkg.com/@ungap/custom-elements-builtin"></script>

  2. Include the X-Frame-Bypass JS module:

    <script type="module" src="x-frame-bypass.js"></script>

  3. Insert the X-Frame-Bypass Custom Element:

    <iframe is="x-frame-bypass" src="https://example.org/"></iframe>
like image 59
niutech Avatar answered Oct 04 '22 08:10

niutech
Sign in to Comment

Related questions

IIS 7 Log Files Auto Delete?
Entity Framework Include() strongly typed
System.Web.HttpException: Request timed out
How to use the <label> tag in ASP.NET?
.NET vs ASP.NET vs CLR vs ASP
creating multiline textbox using Html.Helper function
How to bypass validation for a button in ASP.NET?
Entering keys manually with Entity Framework
redirect to current page in ASP.Net
Default text for empty Repeater control
How to configure Fluent NHibernate to output queries to Trace or Debug instead of Console?
IEnumerable to string delimited with commas?
Problems publishing a website on smarterasp.net with csc.exe file included?
VS2012 - Web Forms - Bundling Confusion
CallContext vs ThreadStatic
What's the current best solution for generating HTML from ASP.NET Razor templates within a Console Application?
Can you recommend a .net template engine? [closed]
Async Void, ASP.Net, and Count of Outstanding Operations
Font files are not loading with ASP.NET Bundles
Setting up redirect in web.config file

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!