Allow iFrame - Fix issue “Display forbidden by X-Frame-Options”

Issue

When you try to use your web page in an iFrame on a non-local site, the iFrame won't load or you get an error that says :“Display forbidden by X-Frame-Options”

Cause

The X-Frame Options header is set to "SAMEORIGIN" server-wide on the source server

Resolution

For IIS servers, add an X-Frame Options header in the web.config file of the site you want to source the page from.
1. Open your source site's web.config file./div>
2. Search "X-Frame".
    a. If no results, continue to step 3.
    b. If there is already an X-Frame Options httpProtocol, change value from "SAMEORIGIN" or "DENY"
3. Search "</system.webServer> Just before that tag insert the following code:
<httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="ALLOW-FROM https://domain.com" />
    </customHeaders>
</httpProtocol>
4. Change https://domain.com to the domain name that you are using the iFrame on.
 
The webpages for your site should now load in an iFrame.

Test it:

  1. Go to https://www.iframe-generator.com/ and insert the URL that you want to use in your iFrame. Click Preview. The page will fail to load.
  2. Change the URL in the X-Frame-Option httpProtocol to https://www.iframe-generator.com/
  3. Go to https://www.iframe-generator.com/ and insert your URL that you want to use in the iFrame. Click Preview. The page should load now.
This confirms that the httpProtocol X-Frame-Options header is working in the web.config file.

Add Feedback