X-Frame-Options for media files

Brenden Kehren asked on May 18, 2015 15:18

I have a need to display media files in an iframe on another site. Out of the box, it appears X-Frame-Options are restricted to SAMEORIGIN, which is good but not for this scenario. The site uses permenant URLs so the request is coming from a url like so:

/getmedia/8203df61-e17c-4c75-9fb3-ebf33957e52f/file-name-here.png

I'm unsure of how to change the X-Frame-Options for just the GetMedia requests and not the whole site. Any suggestions?

Correct Answer

Jim Spillane answered on May 19, 2015 01:55

give this a try...

<add key="CMSXFrameOptionsExcluded" value="/getmedia" />

3 votesVote for this answer Unmark Correct answer

Recent Answers

Brenden Kehren answered on May 19, 2015 01:57

No way! It can't be that easy. I checked the web.config reference and didn't see that one. Where'd you get this from Jim?

1 votesVote for this answer Mark as a Correct answer

Jim Spillane answered on May 19, 2015 02:01

They hid this little jewel in Clickjacking protection

1 votesVote for this answer Mark as a Correct answer

Jim Spillane answered on May 19, 2015 02:19

I sent a suggestion to add CMSXFrameOptionsExcluded to the v8.2 Reference - Web.config application keys page

1 votesVote for this answer Mark as a Correct answer

Juraj Komlosi answered on May 21, 2015 14:15

Hi guys,

thank you very much for your feedback. You are right, there were some web.config keys missing in the "Web.config reference" section. I went through the whole "Securing websites" chapter and I found four web.config keys:

  • CMSAdminEmergencyReset,
  • CMSUserSaltColumn,
  • CMSRenewSessionAuthChange
  • CMSXFrameOptionsExcluded

related to security not mentioned in "Web.config reference" section. If you are interested in it, see the documentation section Reference - Web.config application keys.

Have a nice day.

1 votesVote for this answer Mark as a Correct answer

Brenden Kehren answered on May 21, 2015 14:17

Spectacular! Thank you for your quick work Juraj!

1 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.