Hi. I haven't been able to find a solution for how to have most of my webpages set to deny being used for iFrames in other domains BUT allow of a few of them to be used as iFrames in other domains. So to deny iFrames I added <httpProtocal> <customHeaders>
<add name="X-Frame-Options" value="Deny" > to my web.config AND then for the pages that I do want to allow to be used as iFrames in other domains I added this to my global.asax:
Protected Sub Application_PreSendRequestHeaders(sender As Object, e As EventArgs)
Dim my_url As String = Request.Url.AbsoluteUri
If my_url.IndexOf("xxxxxx.aspx") <> -1 Then
HttpContext.Current.Response.Headers.Remove("X-Frame-Options")
End If
end sub … where xxxx.aspx is the name of the page that I do want to be allowed to be an iFrame in another domain
I was hopeful when testing it using local host … the remove code was hit when I loaded the xxxxx.aspx page
but when I moved the updated web.config and global.asax page to live it didn't work - when I went to a domain that does load my page as an Iframe it displayed an error that the iFrame couldn't be loaded.
Can anyone suggest how I can get this to work? Block iFrames for most pages but allow it for a few.
I test the feature and it works on my side , in another application load my application's page in iframe , the difference is i changed to :
Protected Sub Application_PreSendRequestHeaders(sender As Object, e As EventArgs)
Dim my_url As String = Request.Url.AbsoluteUri
If my_url.IndexOf("WebForm3") = -1 Then
HttpContext.Current.Response.Headers.Add("X-Frame-Options", "Deny")
End If
End Sub
I would suggest you could debug your application in local IIS in VS , and troubleshoot the request/response , Request.Url.AbsoluteUri ....
None
0 Points
1 Post
deny iFrame use to prevent clickjacking for most of my pages, but allow some pages to be iFrames
Sep 25, 2018 09:09 PM|artdunham@outlook.com|LINK
Hi. I haven't been able to find a solution for how to have most of my webpages set to deny being used for iFrames in other domains BUT allow of a few of them to be used as iFrames in other domains. So to deny iFrames I added <httpProtocal> <customHeaders> <add name="X-Frame-Options" value="Deny" > to my web.config AND then for the pages that I do want to allow to be used as iFrames in other domains I added this to my global.asax:
Protected Sub Application_PreSendRequestHeaders(sender As Object, e As EventArgs)
Dim my_url As String = Request.Url.AbsoluteUri
If my_url.IndexOf("xxxxxx.aspx") <> -1 Then
HttpContext.Current.Response.Headers.Remove("X-Frame-Options")
End If
end sub … where xxxx.aspx is the name of the page that I do want to be allowed to be an iFrame in another domain
I was hopeful when testing it using local host … the remove code was hit when I loaded the xxxxx.aspx page
but when I moved the updated web.config and global.asax page to live it didn't work - when I went to a domain that does load my page as an Iframe it displayed an error that the iFrame couldn't be loaded.
Can anyone suggest how I can get this to work? Block iFrames for most pages but allow it for a few.
thanks!
Art
All-Star
18815 Points
3831 Posts
Re: deny iFrame use to prevent clickjacking for most of my pages, but allow some pages to be iFra...
Sep 26, 2018 06:49 AM|Nan Yu|LINK
Hi artdunham,
I test the feature and it works on my side , in another application load my application's page in iframe , the difference is i changed to :
Protected Sub Application_PreSendRequestHeaders(sender As Object, e As EventArgs) Dim my_url As String = Request.Url.AbsoluteUri If my_url.IndexOf("WebForm3") = -1 Then HttpContext.Current.Response.Headers.Add("X-Frame-Options", "Deny") End If End SubI would suggest you could debug your application in local IIS in VS , and troubleshoot the request/response , Request.Url.AbsoluteUri ....
Best Regards,
Nan Yu