3

I have a problem with my custom domain name. My domain provider put the redirect website inside the iframe.

<HTML><HEAD><TITLE></TITLE></HEAD>
<FRAMESET ROWS="*"><FRAME NAME=997 NORESIZE SRC="xxx. azurewebsites .net/">
<NOFRAMES><BODY><A HREF="xxx. azurewebsites .net/">click here</A></BODY></NOFRAMES>        </FRAMESET></HTML>

Currently I am using azurewebsites hosting and when I access my website by my custom domain I can not use any of action apart from home controller.

The problem is in with x-frame-options header such as:

Refused to display '' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

Is there any sollutions for such behaviour? Or it is the problem of my domain provider?

Best regards.

gggttt
  • 93
  • 1
  • 8

1 Answers1

5

I spend a couple days (realy lot of time for me) to resolve this issue, but finally I found some workaround.

To be honest I have read a lot of articles about x-frame-problem, its atributes (Deny, SameOrigin, AllowsAll, AllowsFor, etc.) and I haven't found any reliable sollution for such issue. I do understend the problem of clickjacking and cross site issues of course, however, I am aware that my propoistion is not fully proper and secure, because its remove the value of header from the request.

So this is it, in Global.asax.cs:

namespace xxxx
{
    public class MvcApplication : HttpApplication
    {
        protected void Application_Start()
        {
            AreaRegistration.RegisterAllAreas();
            FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
            RouteConfig.RegisterRoutes(RouteTable.Routes);
            BundleConfig.RegisterBundles(BundleTable.Bundles);
        }

        private void Application_EndRequest(object sender, EventArgs e)
        {
            Response.Headers["X-FRAME-OPTIONS"] = string.Empty;
        }
    }
}

To sum up I have to admit couple of things:

Chrome browser does not support AllowFor atribute neither AllowAll. It understands only Deny and SameOrigin atribute, in the other hand Internet Explorer deal with AllowAll atribute. FireFox behaves similar to Chrome.

Also IIS or Windows Azure hosts adds automaticly this header to response with SameOrigin atribute. (the same as Somme.com host).

In such case as mine (and other people as I noticed http:// www. windows- azure.net /x-frame-options-header-is-not-changing-in-azure-web-role/ ) the only solution is to resign from x-frame-options header. Although it seems to me that webbrowsers should at least support AllowFor atribute to overcome such issue.

Thanks and best regards!

Grzegorz

gggttt
  • 93
  • 1
  • 8
  • 1
    Thanks for your help - add exactly the same problem, and your solution sorted it ! – EdsonF Mar 07 '15 at 22:56
  • Thanks for sharing - solved the same issue for me as well. – Rowan Jun 30 '16 at 06:35
  • Thanks for your solution: I had to embed a web app that shows a simple form from a Wordpress page. The iframe item always showed: Refused to display 'https://anysite.azurewebsites.net/' in a frame because it set 'X-Frame-Options' to 'sameorigin'. Your answer solved it! – Hagen Jul 17 '20 at 20:06
  • How would I do this for an MVC ASP.NET azure website? Thanks. – sidsud Apr 13 '21 at 13:18