If others tries to iframe my site they get error "Refused to display in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN' ". Do they have to change something, or I, or both? I found there are options for X-Frame-Options :SAMEORIGIN,DENY,and allow only one site. Configuration :IIS8, ASP.NET MVC. Are there any global settings to allow others to iframe my site?
Asked
Active
Viewed 3.4k times
10
-
using suggested answers, is there a way to enable iframing just for a specific view? – dev-masih Aug 05 '18 at 04:50
2 Answers
19
In your golbal.asax.cs set X-Frame-Options to AllowAll:
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Remove("X-Frame-Options");
Response.AddHeader("X-Frame-Options", "AllowAll");
}
Zaki
- 5,540
- 7
- 54
- 91
-
Hey! Thanks! You saved my day! I'm developing a WebAdd-In to Excel and Microsoft rejects because the content is rendered in IFrame and in Excel Online, running in IE11, the browser simply blocks the content. With this, it's all working! many thanks, God! :D – Nuno Ribeiro Jan 16 '20 at 11:30
9
Since your website is the frame target, you would make all the changes to your website. As you will see below, this is quite simple.
Option 1 - Modify your web application's web.config file Remove the X-Frame-Options custom header
Before:
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="AllowAll" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
After
<system.webServer>
...
<httpProtocol>
<customHeaders/>
</httpProtocol>
...
</system.webServer>
Option 2 - Log onto the web server and access IIS Manager
- Open Internet Information Services (IIS) Manager.
- In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
- Double-click the HTTP Response Headers icon in the feature list in the middle.
- Select X-Frame-Options from the list
- In the Actions pane on the right side, click Remove.
- Click OK to save your changes.
WorkSmarter
- 3,738
- 3
- 29
- 34