How to set the X-Frame-Origin to ALLOW-FROM

Stefan Sturm asked on November 3, 2015 16:52

Hello,

how could the x-frame-origin be set to "ALLOW-FROM".

Regards Stefan

Correct Answer

Stefan Sturm answered on November 4, 2015 15:24

Hello Bryan,

thank you for the response!

Based on your suggestion I added your snippet

   <configuration>
      <configSections></configSections>
      .
      .
      <system.webServer>
          <httpProtocol>
            <customHeaders>
              <add name="X-Frame-Options" value="ALLOW-FROM http://xxx.xx" />
            </customHeaders>
          </httpProtocol>
      </system.webServer>
      .
      .
    </configuration>

and tested it by trying to load the website into an iframe using the IE 11. Unfortunately the X-Frame-option stays at "SAMEORIGIN" and therefore i'm not able to get the page loaded.

What i'm missing here?

Update - Solution

After some hours i found the solution.

By default Kentico sets the x-frame-options to "SAMEORIGIN" to prevent "Clickjacking". You can finde the documentation here. To add the code snippet above as mentioned by Bryan and here is just the halfe way.

You also have to remove the "SAMEORIGIN" setting from the header. You could to this by simply follow the steps in the documentation (linked above). If you don't remove the prior set "SAMEORIGIN" setting you will get a result like this:

Image Text

As shown in the picture - the x-frame-option is declaried two times. To slove this just add

<add key="CMSXFrameOptionsExcluded" value="/" />

to you web.config.

Regards Stefan

1 votesVote for this answer Unmark Correct answer

Recent Answers

Bryan Soltis answered on November 3, 2015 20:38 (last edited on November 3, 2015 20:38)

Stefan,

Depending on your needs, you may be able to use the "Custom Response" web part to set the x-frame-origin.

Additionally, you can set this in web.config with the following:

<system.webServer>
  ...
  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="ALLOW-FROM ..." />
    </customHeaders>
  </httpProtocol>
  ...
</system.webServer>
  • Bryan
1 votesVote for this answer Mark as a Correct answer

Bryan Soltis answered on November 4, 2015 18:26 (last edited on November 4, 2015 18:27)

Awesome find, Stefan. I was just about to respond with some additional IIS settings, where you can set the X-Frame-Options on an IIS level. I've worked with Kentico for 6+ years and I still find web.config keys and settings to do things like this. :)

I would definitely recommend you only enable the setting for the specific page(s) you want to show in yoru iframe to reduce the security vulnerability.

Here is the IIS link, if you need it.

https://support.microsoft.com/en-us/kb/2694329

0 votesVote for this answer Mark as a Correct answer

Stefan Sturm answered on November 5, 2015 10:30

Thank you much Bryan for your time and your help.

You are absolutely right, i should definitely restrict the accessibility but unfortunately this is exactly what the customer needs :(

Stefan

0 votesVote for this answer Mark as a Correct answer

Jason S answered on September 18, 2017 03:47

Another possibility that may work to remove this entirely is to use IIS URL Rewrite rules.

<outboundRules>
    <rule name="Remove RESPONSE_X-Frame-Options">
        <match serverVariable="RESPONSE_X-Frame-Options" pattern=".+" />
        <action type="Rewrite" value="" />
    </rule>
</outboundRules>
0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.