I have an ASP.NET 4.0 IIS7.5 site which I need secured using the X-Frame-Options header.
I also need to enable my site pages to be iframed from my same domain as well as from my facebook app.
Currently I have my site configured with a site headed of:
Response.Headers.Add("X-Frame-Options", "ALLOW-FROM SAMEDOMAIN, www.facebook.com/MyFBSite")
When I viewed my Facebook page with Chrome or Firefox my sites pages (being iframed with my facebook page) are display ok, but under IE9, I get the error:
"this page cannot be displayed…" (because of the
X-Frame_Options
restriction).
How do I set the X-Frame-Options: ALLOW-FROM
to support more than a single domain?
X-FRAME-OPTION
being a new feature seems fundamentally flawed if only a single domain can be defined.
You can then send a X-Frame-Options response HTTP header with the value: "Allow-From ip-address", where ip address is the remote ip address that is trying to embed content on your server. This will allow your website to be embedded by all websites that are accessed using an ip address from the browser.
X-Frame-Options Deprecated While the X-Frame-Options header is supported by the major browsers, it has been obsoleted in favour of the frame-ancestors directive from the CSP Level 2 specification.
X-Frame-Options:SAMEORIGIN - This means that the page can only be embedded in a frame on a page with the same origin as itself. X-Frame-Options:ALLOW-FROM - The page can only be displayed in a frame on the specified origin. This only works in browsers that support this header.
Chrome does not support the ALLOW-FROM directive in X-Frame-Options. So if we are going to do anything involving other domains, we need something similar. We can stitch together a patchwork configuration involving both headers, which does something more than just allow same-origin framing.
X-Frame-Options
is deprecated. From MDN:
This feature has been removed from the Web standards. Though some browsers may still support it, it is in the process of being dropped. Do not use it in old or new projects. Pages or Web apps using it may break at any time.
The modern alternative is the Content-Security-Policy
header, which along many other policies can white-list what URLs are allowed to host your page in a frame, using the frame-ancestors
directive.frame-ancestors
supports multiple domains and even wildcards, for example:
Content-Security-Policy: frame-ancestors 'self' example.com *.example.net ;
Unfortunately, for now, Internet Explorer does not fully support Content-Security-Policy.
UPDATE: MDN has removed their deprecation comment. Here's a similar comment from W3C's Content Security Policy Level
The
frame-ancestors
directive obsoletes theX-Frame-Options
header. If a resource has both policies, theframe-ancestors
policy SHOULD be enforced and theX-Frame-Options
policy SHOULD be ignored.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With