相关文章推荐
大鼻子的课本  ·  javascript - 找不到 ...·  1 年前    · 
重感情的熊猫  ·  query data dimension ...·  1 年前    · 
朝气蓬勃的足球  ·  range 用法 vba-掘金·  1 年前    · 
Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

enable cors on iis - load denied by x-frame-options: does not permit cross-origin framing

Ask Question

There are several questions about that but I couldn't get the right answer yet. I give a short summary:

Company A has a website with an iframe in it. Company B gives the URL for that iframe. The user uses an application from Company B and with the settings the user chooses it sets up an URL which is delivered to the iframe from Company A.

However, the framing is not working yet because of x-frame-options. The error message is the following:

Load denied by X-Frame-Options: http://www.myurl.com:8088/myPath?panel=panel&user=username does not permit cross-origin framing.

I added

<httpProtocol>
    <customHeaders>
        <add name="Access-Control-Allow-Origin" value="*" />
    </customHeaders>
</httpProtocol>

to my web.config and also tried to add

<handlers>  
    <remove name="OPTIONS"/>
</handlers>

without any success.

I got that suggestions from this and this website to add CORS support on my IIS. As I mentioned above, without any success. I'm not that good in web development or IIS so maybe this question sounds stupid to you: Does Company A has to enable CORS or does Company B? Or both? And how? The suggestions I got from google didn't help yet.

Suggestions appreciated.

That error message isn’t related to the Access-Control-Allow-Origin header nor to OPTIONS handling, so it’s expected that the changes described in the question wouldn’t have any effect.

The cause instead is, the http://www.myurl.com:8088 server’s sending an X-Frame-Options response header in responses for requests to /myPath. So if you don’t want the server to do that, you need to figure out what part of the server code is causing that X-Frame-Options response header to be added, and remove that code.

If I understand it right, company B has to do that, right? Are there some ways to easily figure it out? – Therk Jul 26, 2017 at 8:54 Whoever controls the server running at http://www.myurl.com:8088 needs to remove whatever is adding that X-Frame-Options response header in order for any code running at another origin to be able to frame that content. If you don’t control the server running at http://www.myurl.com:8088 then there’s nothing you do can that’ll allow your site to frame that content. The entire purpose of X-Frame-Options is to block third-party sites from framing content when the content owners don’t want to them to. If there were some way for third-party sites to bypass it, that’d defeat the purpose – sideshowbarker Jul 26, 2017 at 9:00 Okay, then I'll look for that X-Frame-Options part and remove it. Hope I'll find it. Is there a "typical place" for it? Or can it be anywhere? – Therk Jul 26, 2017 at 9:10 One likely place is your IIS Web.config file. That’s probably the best place to look first. – sideshowbarker Jul 26, 2017 at 9:14

x-frame-options has been replaced by Content-Security-Policy and you can use it as following:

<system.webServer>
<httpProtocol>
  <customHeaders>
    <add name="Content-Security-Policy" value="frame-ancestors 'self' example.com *.example.net ;" />
    <add name="X-Content-Security-Policy" value="frame-ancestors 'self' example.com *.example.net ;" />
  </customHeaders>
</httpProtocol>
        

Thanks for contributing an answer to Stack Overflow!

  • Please be sure to answer the question. Provide details and share your research!

But avoid

  • Asking for help, clarification, or responding to other answers.
  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.