12

I have an ASP.NET Core MVC website that is the src of an IFRAME inside a portal. Both the portal an the .NETCore application have the same domain (eg. site.portal.domain / portal.domain).

When I enter the portal, I get a message in the browsers:

mysite.portal.domain refused to connect

(on Chrome), the other browser give different errors, like IE 11 gives:

This content cannot be displayed in a frame

On Chrome debug I found the message:

Refused to display 'https://site.portal.domain' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

Any hints on how to solve that?

staticdev
  • 2,950
  • 8
  • 42
  • 66

1 Answers1

18

X-FRAME-OPTIONS is used to protect against clickjacking attempts. If you own the application and want it be framed , you can skip the restrict :

services.AddAntiforgery(o => o.SuppressXFrameOptionsHeader = true);

By default, the X-Frame-Options header is generated with the value SAMEORIGIN. If this setting is 'true', the X-Frame-Options header will not be generated for the response.

Nan Yu
  • 26,101
  • 9
  • 68
  • 148
  • 2
    That helped me fixing it, but your code didn't work. Please edit your answer with the line that worked: I added `services.AddAntiforgery(o => o.SuppressXFrameOptionsHeader = true);` to ConfigureServices in Startup. – staticdev Oct 24 '19 at 11:54
  • that solved the problem for Chrome and IE 11, but when I try IE 9 I still get the same error. Do you have any ideia what is could be? – staticdev Oct 24 '19 at 14:28
  • 1
    For IE9 you have to explicitly add the header with allow. A simple, but insecure fix for this version compatibility is adding ```app.Use(async (context, next) => { context.Response.Headers.Add("X-Frame-Options", "AllowAll"); await next(); });``` Or, better of adding the URL you allow. – staticdev Oct 24 '19 at 18:30