After an windows update on our windows web server IIS 8 it, iframe of the hosted sharepoint 2013 stopped working from an external domain.
The server seems to force X-FRAME-OPTIONS SAMEORIGIN. This value is not set in web.config or in IIS Manager under HTTP Response Header.
I've tried to add a HTTP Response header in both IIS Manager and in web.config but it doesnt help.
If i dont add anything i get this error:
Refused to display 'http://SP-SITE' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
When i add the X-FRAME-OPTIONS ALLOW-FROM http://Other-url i get this error:
Refused to display 'http://SP-SITE' in a frame because it set multiple 'X-Frame-Options' headers with conflicting values ('SAMEORIGIN, ALLOW-FROM http://Other-URL, ALLOW-FROM http://Other-URL'). Falling back to 'deny'.
Does anyone know how i should find where the SAMEORIGIN value is set or how to override it or change it?
Related
I am sorting out a website that will be getting pen-tested soon, we've have been asked to add the X-Frame-Options header to our server configuration. When adding the following header it gives me an error message in the console.log where we are using iframes
-- nginx header --
add_header 'X-Frame-Options' "SAMEORIGIN";
-- Error --
`Refused to display 'https://api.domain.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
Obviously I understand the security reasons for this header but our website has an iframe that we simply cannot change & it is on a different domain e.g oldapp.domain.com rather than api.domain.com.
I would have used the ALLOW-FROM uri directive to allow from this other domain, but this directive is no longer recommended, is there an alternative to ALLOW-FROM uri that will enable me to simply add a domain that can be allowed to display iframe content?
For all browsers except some older ones (like IE) you should use Content-Security-Policy with the frame-ancestors directive instead. With CSP frame-ancestors you can use wildcards *.domain.com or multiple sources "oldapp.domain.com api.domain.com www.domain.com".
X-Frame-Options ALLOW-FROM only accepts one uri, you will likely have to dynamically set the uri from a list of allowed hostnames based on the incoming request. Alternatively you can set the value to SAMEORIGIN if you don't need to fully support IE and other outdated browsers as X-Frame-Options will be disregarded if CSP frame-ancestors is present.
I have a Lotus Notes web application which is been loaded in to another web application, after we upgraded to domino from 9.0.1 to Domino V10.0.4 the application fails to load in this portal, the application can be accessed individually in browser but while loading in another application it fails with error
Load denied by X-Frame-Options: http://achme.com/achme.NSF/frameset?readform does not permit cross-origin framing.
any hint on fixing the error
enter image description here
It seems that your Domino- server has a header value for X-Frame-Options set.
This can either be done with a Website- Rule of type "HTTP response headers" that defines the header in the domino directory:
X-Frame-Options: SAMEORIGIN
Possible values:
X-Frame-Options: deny
X-Frame-Options: sameorigin
X-Frame-Options: allow-from https://example.com/
Or it is set via notes.ini Entry:
HTTPAdditionalRespHeader=X-Frame-Options: SAMEORIGIN
Check your domino directory and the notes.ini for the setting and set it to something more relaxed if you need the page to be loaded in an iframe.
Do you happen to have changed the FQDN of your Domino server when upgrading? That might be a reason why the same setting worked in Domino 9 (old hostname) and does not work for the new server (new hostname).
Hi I have a windows server with IIS 10 on where I am hosting angularjs web apps with the help of IIS-Node. I've been trying to harden the response headers and I find that Im doubling up on some of them.
For instance: x-frame-options: is listed twice the first time it is loaded it is SAME ORIGIN which is not set in either applicationHost.config or webhost.config but is being added from somewhere Im not aware of, the second x-frame-options: is shown as DENY which is what I expect it to be as I did set this using applicationHost.config.
A similar thing is happening with cache-control in the browser (chrome) it is shown as public, max-age=0,No-store when I only set it as No-store using applicationHost.config. So again cache-control:public, max-age=0, is being set somewhere else, not by me.
Please can any one tell me how to turn off these unwanted response headers?
I have searched IIS and Googled but I keep getting pointed back toward applicationHost.config or web.config. Thanks in advance.
X-Frame-Options HTTP header field is used for prevention against clickjacking attacks. Is it possible to insert X-Frame-Options into every HTTP response?
for Apache web server use mod_headers :
Apache mod_headers
and add "Header always append X-Frame-Options SAMEORIGIN".
There are three settings for X-Frame-Options:
SAMEORIGIN: This setting will allow page to be displayed in frame on the same origin as the page itself.
DENY: This setting will prevent a page displaying in a frame or iframe.
ALLOW-FROM uri: This setting will allow page to be displayed only on the specified origin.
What is the default policy within an asp.net mvc application? Also how are CORS and X-Frame-Options related?
If I create a new MVC web app (hosted in IIS) on port e.g. 21232, I add an iframe to the index views with a source set to my local IIS e.g.
<iframe src="http://localhost/iisstart.htm" width="800" height="100"/>
This works fine (even though on a different port to the web application).
If I now change the iframe source to be something completely external, e.g.
<iframe src="http://www.google.com" width="800" height="100"/>
This now displays an empty iframe. If I look in the Chrome dev tools (Chrome used in both examples) I see an error in the console
Refused to display 'https://www.google.co.uk' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
Why did the first URL work when the address is on a different port to the hosting page?
How do X-Frame-Options relate to CORS? I tried adding the following to my web.config (see ref enable cors in IIS)
<add name="Access-Control-Allow-Origin" value="*" />
Which made no difference. Looks as if I need to add the following to the Application_Start in the global.asax.cs
AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
Are X-Frame-Options specifically iframe related?
I think you got the The X-Frame-Options response header and CORS all mixed up.
The X-Frames-Options response header is used to indicate whether or not a browser should be allowed to load a particular page in a <iframe>. CORS on the other hand is used to determine if XMLHttpRequest(XHR) (and a few other things) is allowed across domains.
So yes, X-Frames-Options are <iframe> realated only.
The reason why you are able to load your page from http://localhost/iisstart.htm in you web application running at port 21232 is because there is no X-Frame-Options response header present in response. You will not be able http://www.google.com because its X-Frames-Options is set to SAMEORIGIN. This means unless your domain is google.com, you will not be able load it inside an <iframe>.
The Access-Control-Allow-Origin header that you added has nothing to do with <iframe>. There is no way you will be able to load http://www.google.com in your page.