Issue
When you try to use your web page in an iFrame on a non-local site, the iFrame won't load or you get an error that says :“Display forbidden by X-Frame-Options”
Cause
The X-Frame Options header is set to "SAMEORIGIN" server-wide on the source server
Resolution
For IIS servers, add an X-Frame Options header in the web.config file of the site you want to source the page from.
1. Open your source site's web.config file./div>
2. Search "X-Frame".
a. If no results, continue to step 3.
b. If there is already an X-Frame Options httpProtocol, change value from "SAMEORIGIN" or "DENY"
3. Search "</system.webServer> Just before that tag insert the following code:
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="ALLOW-FROM https://domain.com" />
</customHeaders>
</httpProtocol>
4. Change https://domain.com to the domain name that you are using the iFrame on.
The webpages for your site should now load in an iFrame.
Test it:
- Go to https://www.iframe-generator.com/ and insert the URL that you want to use in your iFrame. Click Preview. The page will fail to load.
- Change the URL in the X-Frame-Option httpProtocol to https://www.iframe-generator.com/
- Go to https://www.iframe-generator.com/ and insert your URL that you want to use in the iFrame. Click Preview. The page should load now.
This confirms that the httpProtocol X-Frame-Options header is working in the web.config file.
Article ID: 2664, Created: April 23, 2018 at 4:09 PM, Modified: April 23, 2018 at 4:31 PM