1

I'm getting the below error in Microsoft Edge. But, works fine in Chrome. Below are the details of implementation. The user's logged-in email is being captured on the page-load of the home page by User.Identity.Name

  1. Asp.Net Webforms application hosted in Azure.
  2. Enabled Azure AD Authentication.
  3. Loading this web application on the Intranet web page through IFRAME.
  4. The intranet is SSO enabled with OKTA.

enter image description here

Naveen
  • 53
  • 2
  • 8

2 Answers2

2

You're running into what X-Frame-Options does.

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

Source: X-Frame-Options on MDN

If you own the page you're trying to run inside the IFrame, make sure to explicitly set the correct value for the X-Frame-Options header. If you don't: why display it in an IFrame?

If you're running into Chrome behaving differently than Edge, have a look at how the header is used and if Chrome supports it. For instance, ALLOW-FROM is not supported by Chrome.

More info: caniuse.com for x-frame-options.

The MDN document I linked to earlier about ALLOW-FROM:

ALLOW-FROM uri (obsolete)
This is an obsolete directive that no longer works in modern browsers. Don't use it. In supporting legacy browsers, a page can only be displayed in a frame on the specified origin uri.

EDIT:
As an addition to your statement

Looks like there is no other option other than removing Azure AD authentication

You should never display any login page in an iframe because of the cickjacking issues it introduces. This is not limited to Azure AD authentication, this is true for any and all authentication options.

Azure AD authentication also has a pop-up option. For instance: if you're using MSAL.js there's this:

You can sign in users to your application in MSAL.js in two ways:

  • Pop-up window, by using the loginPopup method
  • Redirect, by using the loginRedirect method

Source: Single-page application: Sign-in and Sign-out

rickvdbosch
  • 14,105
  • 2
  • 40
  • 53
  • Thanks, Rick. I don't own the page, but will go ahead and propose this solution. – Naveen May 25 '20 at 15:45
  • Hi Rick, I have tried adding the options in web.config as suggested, but it didn't work. Since we have enabled Azure AD authentication to the app service, it is going to login.microsoft.com first to show the sign-in options. Looks like there is no other option other than removing Azure AD authentication – Naveen Jun 01 '20 at 13:12
  • Thanks, Rick will look into this. – Naveen Jun 03 '20 at 09:27
0

You should try to check the X-Frame-Options header. The X-Frame-Options header can be used to control whether a page can be placed in an IFRAME.

Besides, please note that this token must be sent as a HTTP Header, and the directive will be ignored if found in a META HTTP-EQUIV tag. You could refer to this article for more information.

If you have control of the Server that sends the content of the iframe, you could refer to this article and this link about configuring the value.

More info: How to set 'X-Frame-Options' on iframe?

Yu Zhou
  • 11,532
  • 1
  • 8
  • 22