1

I'm attempting to remove the default X-Frame-Options: SAMEORIGIN header from DNN so I can allow iframes to link to my site.

I have found that the suggested way to do this is to use AntiForgeryConfig.SuppressXFrameOptionsHeader = true (Source: MVC 5 prevents access to content via Iframe)

However, because DNN does not have an accessible global.ascx.cs file I'm not sure how to add this.

It looks like someone else has successfully done this using a custom module: https://www.dnnsoftware.com/forums/threadid/531595/scope/posts/remove-x-frame-options-value-of-sameorigin

I've tried doing the same, but it does not have the intended effect:

using System.Web;
using System.Web.Helpers;
using DotNetNuke.Entities.Modules;
using DotNetNuke.Entities.Modules.Actions;
using DotNetNuke.Services.Exceptions;

namespace DotNetNuke.Modules.IframeAllow
{

    public partial class IframeAllow : PortalModuleBase
    {        
        protected override void OnLoad(EventArgs e)

        {
            AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

        }

    }

}

Possibly this is because this needs to happen at application start?

Craigjb
  • 107
  • 1
  • 1
  • 12

1 Answers1

1

You should change the X-Frame-Options on the web.config file by removing the header:

<httpProtocol>
  <customHeaders>
    <remove name="X-Frame-Options" />
  </customHeaders>
</httpProtocol>

Or by allowing a specific allowed origin (only 1 can be specified):

<httpProtocol>
  <customHeaders>
    <remove name="X-Frame-Options" />
    <add name="X-Frame-Options" value="ALLOW-FROM https://mywebsite.org/" />
  </customHeaders>
</httpProtocol>

Check this thread for more information https://www.dnnsoftware.com/forums/threadid/547624/scope/posts/how-to-allow-iframe-content-on-dnn-site-x-frame-option

David Rodriguez
  • 2,412
  • 1
  • 17
  • 15