Introduction
Chrome Side of story:-X-Frame-Option Same origin issue appeared in Chrome version 60+ and it came surprising when browser started upgraded from lower version to this version. What if such issue appeared in production where your platform is dependent on third party service provider such as payment gateway through IFrame or any data layer that injects data to your system. Well the point is everything boils down to how secure you want to create a platform.
Your site- Domain ABC- Allow access to Domain XYZ[SameOrigin will not work]
Chrome version 60 and above enforce this and check this X-frame-options.
What happened next?
It started throwing below error in developer tool f12 - console
Refused to display https://abc' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
iframe-tunnel.js:60 GET https://xyz net::ERR_BLOCKED_BY_RESPONSE
Sitecore MVC Side of story:-
From sitecore 8.1 update 3 onwards sitecore introduce default module to add X-FRAME-OPTION Sameorigin using below module
One can check this in web.config file
type="Sitecore.Web.XFrameOptionsHeaderModule, Sitecore.Kernel" name="SitecoreXFrameOptionsHeaderModule"/>
ReferenceProbable Solution
using System.Web.Mvc; namespace Test.Filters { public class RemoveXFrameOptionsAttribute : ActionFilterAttribute { public override void OnResultExecuted(ResultExecutedContext filterContext) { filterContext.HttpContext.Response.Headers.Remove("X-Frame-Options"); base.OnResultExecuted(filterContext); } } [RemoveXFrameOptions] public class TestController : Controller { public ActionResult Index() { return View(); } } } //or //this worked for us. public class TestController : Controller { [RemoveXFrameOptions] public ActionResult Index() { return View(); } }
https://stackoverflow.com/questions/35466242/removing-x-frame-options-header-for-a-specific-controller-only
Bit of background
Why x-frame-options SameOrigin thing? This is required to avoid CLICK JACKING.
https://www.codeproject.com/Articles/291562/Asp-net-web-application-Security-Review-Dos-Dont
1 comment :
Hi, thank you for providing this solution. This helped us with a similar requirement we had for our Sitecore website.
Kr,
Christopher
Post a Comment