Hi. I haven't been able to find a solution for how to have most of my webpages set to deny being used for iFrames in other domains BUT allow of a few of them to be used as iFrames in other domains. So to deny iFrames I added <httpProtocal> <customHeaders>
<add name="X-Frame-Options" value="Deny" > to my web.config AND then for the pages that I do want to allow to be used as iFrames in other domains I added this to my global.asax:
Protected Sub Application_PreSendRequestHeaders(sender As Object, e As EventArgs)
Dim my_url As String = Request.Url.AbsoluteUri
If my_url.IndexOf("xxxxxx.aspx") <> -1 Then
HttpContext.Current.Response.Headers.Remove("X-Frame-Options")
End If
end sub … where xxxx.aspx is the name of the page that I do want to be allowed to be an iFrame in another domain
I was hopeful when testing it using local host … the remove code was hit when I loaded the xxxxx.aspx page
but when I moved the updated web.config and global.asax page to live it didn't work - when I went to a domain that does load my page as an Iframe it displayed an error that the iFrame couldn't be loaded.
Can anyone suggest how I can get this to work? Block iFrames for most pages but allow it for a few.
I test the feature and it works on my side , in another application load my application's page in iframe , the difference is i changed to :
Protected Sub Application_PreSendRequestHeaders(sender As Object, e As EventArgs)
Dim my_url As String = Request.Url.AbsoluteUri
If my_url.IndexOf("WebForm3") = -1 Then
HttpContext.Current.Response.Headers.Add("X-Frame-Options", "Deny")
End If
End Sub
I would suggest you could debug your application in local IIS in VS , and troubleshoot the request/response , Request.Url.AbsoluteUri ....
Best Regards,
Nan Yu
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
None
0 Points
1 Post
deny iFrame use to prevent clickjacking for most of my pages, but allow some pages to be iFrames
Sep 25, 2018 09:09 PM|artdunham@outlook.com|LINK
Hi. I haven't been able to find a solution for how to have most of my webpages set to deny being used for iFrames in other domains BUT allow of a few of them to be used as iFrames in other domains. So to deny iFrames I added <httpProtocal> <customHeaders> <add name="X-Frame-Options" value="Deny" > to my web.config AND then for the pages that I do want to allow to be used as iFrames in other domains I added this to my global.asax:
Protected Sub Application_PreSendRequestHeaders(sender As Object, e As EventArgs)
Dim my_url As String = Request.Url.AbsoluteUri
If my_url.IndexOf("xxxxxx.aspx") <> -1 Then
HttpContext.Current.Response.Headers.Remove("X-Frame-Options")
End If
end sub … where xxxx.aspx is the name of the page that I do want to be allowed to be an iFrame in another domain
I was hopeful when testing it using local host … the remove code was hit when I loaded the xxxxx.aspx page
but when I moved the updated web.config and global.asax page to live it didn't work - when I went to a domain that does load my page as an Iframe it displayed an error that the iFrame couldn't be loaded.
Can anyone suggest how I can get this to work? Block iFrames for most pages but allow it for a few.
thanks!
Art
All-Star
18785 Points
3830 Posts
Microsoft
Re: deny iFrame use to prevent clickjacking for most of my pages, but allow some pages to be iFra...
Sep 26, 2018 06:49 AM|Nan Yu|LINK
Hi artdunham,
I test the feature and it works on my side , in another application load my application's page in iframe , the difference is i changed to :
Protected Sub Application_PreSendRequestHeaders(sender As Object, e As EventArgs) Dim my_url As String = Request.Url.AbsoluteUri If my_url.IndexOf("WebForm3") = -1 Then HttpContext.Current.Response.Headers.Add("X-Frame-Options", "Deny") End If End SubI would suggest you could debug your application in local IIS in VS , and troubleshoot the request/response , Request.Url.AbsoluteUri ....
Best Regards,
Nan Yu
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.