0

Regarding the X-Frame-Options (https://developer.mozilla.org/en-US/docs/The_X-FRAME-OPTIONS_response_header), I'm having a bit of a hard time parsing what the docs say and what I'm seeing. My understanding is that when the page returns SAMEORIGIN, browsers will only load the contents of the frame if the page that had the IFRAME came from the same domain.

I've got three machines. When I'm logged into SERVER-A, I navigate to a page that is hosted on SERVER-A. It contains an IFrame that loads a page from SERVER-B but it's in a different domain. This all works... but when I go to SERVER-C and browse to the same page (that's served from SERVER-A), it won't load. Looking at the IE Debugging Tools, the request for that IFramed page shows a status of aborted.

Ideas?

Andrew Connell
  • 4,939
  • 5
  • 30
  • 42

1 Answers1

1

This is working as you'd expect from server C - you've stated that the iFrame shouldn't load in a page from a different domain in the X-Frame-Options, and it didn't. This security policy isn't applied for pages loaded from localhost, which sounds like it's what's happening here when you're on server A, similarly to this situation.

You haven't said which of the pages you've applied the X-Frame-Options to: it matters that it was on the page in the iFrame (i.e. on Server B in your setup). I don't think applying the header to server A will have made a difference.

Community
  • 1
  • 1
Jim Downing
  • 1,481
  • 12
  • 29
  • I didn't specify, you're correct. Pages served up by SERVER-A have one URL (URL-A) and those by SERVER-B come from URL-B. The pages generated by URL-B are the only ones with X-Frame-Options set. Hmm... would your localhost comment apply even though they are really coming from different domains? – Andrew Connell Sep 30 '12 at 18:27
  • Yes - it looks like your test proves that IE (at least for your security settings) doesn't apply these security constraints to iframes in pages loaded from localhost. If server A has an external address, I'd expect the constraints to be applied when you access through that, regardless of the origin of the request. – Jim Downing Oct 01 '12 at 22:00