6

I have a site hosted on an external server and I would like to be able run it (within an iframe) from my local dev environment (localhost). Unfortunately, I am getting "This content cannot be displayed in a frame" message within the frame content when trying to load the page with the iframe. How can I resolve this?

The local website that uses the iframe is classic asp, while the site hosted on an external server is MVC4. I only get the error when trying to iframe the MVC4 web app. When I try to iframe a classic asp site that sits on the same server (same domain) as the MVC4 app, I get no error.

Tom S
  • 127
  • 1
  • 4
  • 18

3 Answers3

2

According to Mozilla Developer Network, there are three options which are supported on either <frame>, <iframe> or <object> elements:

  • X-Frame-Options: DENY
  • X-Frame-Options: SAMEORIGIN

Edited: From Dorner's comment, the below option is no longer supported and should not be used:

The first and last are definitely not what you need. I tried with a local server to access another local server using:

X-Frame-Options: ALLOW-FROM http://localhost/

But I got a response: 'allow-from http://localhost/' is not a recognized directive. The header will be ignored.

It sort of worked because the header was ignored, yet you have to evaluate if that is desirable for your website. In that case it would just be simpler to ask your server to NOT send this header. But only do it if you understand the consequences for your project.

On IIS it can be done through web.config with:

<system.webServer>
 <httpProtocol>
  <customHeaders>
    <remove name="X-Frame-Options" />
  </customHeaders>
 </httpProtocol>
</system.webServer>

For Apache, see this topic.

Just remember, it is up to your web browser to honor the header. Mozilla even states that as:

The added security is only provided if the user accessing the document is using a browser supporting X-Frame-Options.

I believe Edge is being more strict with this rule than Webkit for example.

Reuel Ribeiro
  • 1,419
  • 14
  • 23
  • I tested the X-Frame-Options but it did not work. What is interesting is that I only get the error message when trying to iframe my MVC4 web app within the iframe. If I switch to an .asp page, which sits on the same server as the MVC4 web app, I get no problems with getting content of the iframe displayed. I am going to edit my question so it has the info in it. Anyway, thanks for you answer Reuel. – Tom S Mar 15 '17 at 14:06
  • 1
    ALLOW-FROM no longer works and should be avoided. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options – John Dorner Jun 11 '21 at 15:47
1

What turned out to be the fix was using SuppressXFrameOptionsHeader to ensure that the XFrameOptionsHeader setting is not being overwritten automatically.

Roberto Caboni
  • 7,252
  • 10
  • 25
  • 39
Tom S
  • 127
  • 1
  • 4
  • 18
0

X-Frame-Options header only supports two directives: DENY or SAMEORIGIN. While DENY blocks all attempts to embed the website in an iframe, SAMEORIGIN allows embedding only on the same domain. This limitation makes it unsuitable for allowing embedding on specific domains other than your own.

What you need is Content-Security-Policy HTTP header, it has a frame-ancestors directive which is what you need.

To make it work, set you headers to desired domain

In node.js:

res.setHeader('Content-Security-Policy', 'frame-ancestors https://www.google.com/;');

In ruby on rails:

response.headers["Content-Security-Policy"] = "frame-ancestors https://www.google.com/;"

With CSP header, you're good to go!

Dr. Freddy Dimethyltryptamine
  • 613
  • 6
  • 19