2

Good day everyone.

So I have a website and I am trying to embed in an iframe a dynamics server and it keeps throwing an error something about

'Refused to display https://XXXXXXXXXXXX in a frame because it set 'X-Frame-Options' to 'deny'.

Any ideas how I can get it to work?

This happens when we try to redirect the page to a login page.

Thanks

Ke Fedile
  • 41
  • 2
  • You can't get this "work", if you can't control `https ://XXXXXXXXXXXX`. The error message tells you, that the server refuses to show this content in an iframe. (The content is actually loaded, but browsers won't show it due to the `X-Frame-Options` header.) – Teemu Feb 25 '20 at 12:41
  • Maybe this helps https://stackoverflow.com/questions/27358966/how-to-set-x-frame-options-on-iframe – Dmytro Cheglakov Feb 25 '20 at 12:46

1 Answers1

0

Check X-Frame-Options hearder:

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

Based on the above statement, this is something that the 'https://XXXXXXXXXXXX' has added to the page to disallow it from being used as an <iframe>

You can see that this can even be configured globally on a web server level, to secure all the websites.

If the website is in the same domain the workaround is easier using SameOrigin value.

If you want to allow all, then just don't set the response header for the XXXXXXXX site at all (if you have access to it).

Athanasios Kataras
  • 25,191
  • 4
  • 32
  • 61