X-Frame-Options Allow-From multiple domains

Question

I have an ASP NET 4 0 IIS7 5 site which I need secured using the X-Frame-Options header   I also need to enable my site pages to be iframed from my same domain as well as from my facebook app   Currently I have my site configured with a site headed of   Response Headers Add  X-Frame-Options    ALLOW-FROM SAMEDOMAIN  www facebook com MyFBSite     When I viewed my Facebook page with Chrome or Firefox my sites pages  being iframed with my facebook page  are display ok  but under IE9  I get the error        this page cannot be displayed      because of the X-Frame Options restriction     How do I set the X-Frame-Options  ALLOW-FROM to support more than a single domain   X-FRAME-OPTION being a new feature seems fundamentally flawed if only a single domain can be defined

User · Answer

The RFC for the HTTP Header Field X-Frame-Options states that the "ALLOW-FROM" field in the X-Frame-Options header value can only contain one domain. Multiple domains are not allowed.

The RFC suggests a work around for this problem. The solution is to specify the domain name as a url parameter in the iframe src url. The server that hosts the iframe src url can then check the domain name given in the url parameters. If the domain name matches a list of valid domain names, then the server can send the X-Frame-Options header with the value: "ALLOW-FROM domain-name", where domain name is the name of the domain that is trying to embed the remote content. If the domain name is not given or is not valid, then the X-Frame-Options header can be sent with the value: "deny".

User · Answer

Necromancing   The provided answers are incomplete    First  as already said  you cannot add multiple allow-from hosts  that s not supported   Second  you need to dynamically extract that value from the HTTP referrer  which means that you can t add the value to Web config  because it s not always the same value    It will be necessary to do browser-detection to avoid adding allow-from when the browser is Chrome  it produces an error on the debug - console  which can quickly fill the console up  or make the application slow   That also means you need to modify the ASP NET browser detection  as it wrongly identifies Edge as Chrome    This can be done in ASP NET by writing a HTTP-module which runs on every request  that appends a http-header for every response  depending on the request s referrer  For Chrome  it needs to add Content-Security-Policy       https   stackoverflow com questions 31870789 check-whether-browser-is-chrome-or-edge public class BrowserInfo        public System Web HttpBrowserCapabilities Browser   get  set        public string Name   get  set        public string Version   get  set        public string Platform   get  set        public bool IsMobileDevice   get  set        public string MobileBrand   get  set        public string MobileModel   get  set          public BrowserInfo System Web HttpRequest request                if  request Browser    null                        if  request UserAgent Contains  Edge                    amp  amp  request Browser Browser     Edge                                 this Name    Edge                             else                               this Name   request Browser Browser                  this Version   request Browser MajorVersion ToString                              this Browser   request Browser              this Platform   request Browser Platform              this IsMobileDevice   request Browser IsMobileDevice              if  IsMobileDevice                                this Name   request Browser Browser                                      void context EndRequest object sender  System EventArgs e        if  System Web HttpContext Current    null  amp  amp  System Web HttpContext Current Response    null                System Web HttpResponse response   System Web HttpContext Current Response           try                          response Headers  P3P      CP     IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT                      response Headers Set  P3P    CP     IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT                       response AddHeader  P3P    CP     IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT                    response AppendHeader  P3P    CP     IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT                        response AppendHeader  X-Frame-Options    DENY                   response AppendHeader  X-Frame-Options    SAMEORIGIN                   response AppendHeader  X-Frame-Options    AllowAll                 if  System Web HttpContext Current Request UrlReferrer    null                                    X-Frame-Options    ALLOW-FROM   Not recognized in Chrome                  string host   System Web HttpContext Current Request UrlReferrer Scheme   System Uri SchemeDelimiter                               System Web HttpContext Current Request UrlReferrer Authority                                    string selfAuth   System Web HttpContext Current Request Url Authority                  string refAuth   System Web HttpContext Current Request UrlReferrer Authority                      SQL Log System Web HttpContext Current Request RawUrl  System Web HttpContext Current Request UrlReferrer OriginalString  refAuth                    if  IsHostAllowed refAuth                                         BrowserInfo bi   new BrowserInfo System Web HttpContext Current Request                           bi Name   Firefox                        bi Name   InternetExplorer                        bi Name   Chrome                         Chrome wants entire path                         if   System StringComparer OrdinalIgnoreCase Equals bi Name   Chrome                            response AppendHeader  X-Frame-Options    ALLOW-FROM     host                               unsafe-eval  invalid JSON https   github com keen keen-js issues 394                        unsafe-inline  styles                        data  url data image png                              https   www owasp org index php Clickjacking Defense Cheat Sheet                        https   www ietf org rfc rfc7034 txt                        https   developer mozilla org en-US docs Web HTTP Headers X-Frame-Options                        https   developer mozilla org en-US docs Web HTTP CSP                         https   stackoverflow com questions 10205192 x-frame-options-allow-from-multiple-domains                        https   content-security-policy com                         http   rehansaeed com content-security-policy-for-asp-net-mvc                          This is for Chrome                         response AppendHeader  Content-Security-Policy    default-src  self   unsafe-inline   unsafe-eval  data    msecnd net vortex data microsoft com     selfAuth         refAuth                         System Collections Generic List lt string gt  ls   new System Collections Generic List lt string gt                         ls Add  default-src                        ls Add   self                         ls Add   unsafe-inline                         ls Add   unsafe-eval                         ls Add  data                             http   az416426 vo msecnd net scripts a ai 0 js                         ls Add    msecnd net                           ls Add  vortex data microsoft com                         ls Add selfAuth                       ls Add refAuth                        string contentSecurityPolicy   string Join      ls ToArray                         response AppendHeader  Content-Security-Policy   contentSecurityPolicy                                     else                                       response AppendHeader  X-Frame-Options    SAMEORIGIN                                                 else                 response AppendHeader  X-Frame-Options    SAMEORIGIN                      catch  System Exception ex                           WTF                System Console WriteLine ex Message      Suppress warning                     End if  System Web HttpContext Current    null  amp  amp  System Web HttpContext Current Response    null        End Using context EndRequest   private static string   s allowedHosts   new string            localhost 49533        localhost 52257        vmcompany1        vmcompany2        vmpostalservices        example com       public static bool IsHostAllowed string host        return Contains s allowedHosts  host        End Function IsHostAllowed    public static bool Contains string   allowed  string current        for  int i   0  i  lt  allowed Length    i                if  System StringComparer OrdinalIgnoreCase Equals allowed i   current               return true           Next i       return false       End Function Contains    You need to register the context EndRequest function in the HTTP-module Init function    public class RequestLanguageChanger   System Web IHttpModule         void System Web IHttpModule Dispose                    throw new NotImplementedException                void System Web IHttpModule Init System Web HttpApplication context                   https   stackoverflow com questions 441421 httpmodule-event-execution-order         context EndRequest    new System EventHandler context EndRequest                 context EndRequest Code from above comes here       Next you need to add the module to your application   You can either do this programmatically in Global asax by overriding the Init function of the HttpApplication  like this   namespace ChangeRequestLanguage         public class Global   System Web HttpApplication                System Web IHttpModule mod   new libRequestLanguageChanger RequestLanguageChanger             public override void Init                         mod Init this               base Init                         protected void Application Start object sender  System EventArgs e                                protected void Session Start object sender  System EventArgs e                                protected void Application BeginRequest object sender  System EventArgs e                                protected void Application AuthenticateRequest object sender  System EventArgs e                                protected void Application Error object sender  System EventArgs e                                protected void Session End object sender  System EventArgs e                                protected void Application End object sender  System EventArgs e                                     or you can add entries to Web config if you don t own the application source-code          lt httpModules gt           lt add name  RequestLanguageChanger  type   libRequestLanguageChanger RequestLanguageChanger  libRequestLanguageChanger    gt         lt  httpModules gt       lt  system web gt      lt system webServer gt       lt validation validateIntegratedModeConfiguration  false   gt        lt modules runAllManagedModulesForAllRequests  true  gt         lt add name  RequestLanguageChanger  type  libRequestLanguageChanger RequestLanguageChanger  libRequestLanguageChanger    gt       lt  modules gt     lt  system webServer gt   lt  configuration gt    The entry in system webServer is for IIS7   the other in system web is for IIS 6   Note that you need to set runAllManagedModulesForAllRequests to true  for that it works properly    The string in type is in the format  Namespace Class  Assembly    Note that if you write your assembly in VB NET instead of C   VB creates a default-Namespace for each project  so your string will look like    DefaultNameSpace Namespace  Class  Assembly    If you want to avoid this problem  write the DLL in C

User · Answer

X-Frame-Options is deprecated  From MDN      This feature has been removed from the Web standards  Though some browsers may still support it  it is in the process of being dropped  Do not use it in old or new projects  Pages or Web apps using it may break at any time    The modern alternative is the Content-Security-Policy header  which along many other policies can white-list what URLs are allowed to host your page in a frame  using the frame-ancestors directive  frame-ancestors supports multiple domains and even wildcards  for example   Content-Security-Policy  frame-ancestors  self  example com   example net     Unfortunately  for now  Internet Explorer does not fully support Content-Security-Policy   UPDATE  MDN has removed their deprecation comment  Here s a similar comment from W3C s Content Security Policy Level      The frame-ancestors directive obsoletes the X-Frame-Options header  If a resource has both policies  the frame-ancestors policy SHOULD be enforced and the X-Frame-Options policy SHOULD be ignored

User · Answer

As per the MDN Specifications  X-Frame-Options  ALLOW-FROM is not supported in Chrome and support is unknown in Edge and Opera   Content-Security-Policy  frame-ancestors overrides X-Frame-Options  as per this W3 spec   but frame-ancestors has limited compatibility  As per these MDN Specs  it s not supported in IE or Edge

User · Answer

One possible workaround would be using a  frame-breaker  script as described here  You just need to alter the  if  statement to check for your allowed domains      if  self     top           var antiClickjack   document getElementById  antiClickjack           antiClickjack parentNode removeChild antiClickjack        else            your domain check goes here        if top location host     allowed domain1 com   amp  amp  top location host     allowed domain2 com            top location   self location         This workaround would be safe  I think  because with javascript not enabled you will have no security concern about a malicious website framing your page

User · Answer

YES  This method allowed multiple domain   VB NET  response headers add  X-Frame-Options    ALLOW-FROM    amp  request urlreferer tostring

User · Answer

From RFC 7034      Wildcards or lists to declare multiple domains in one ALLOW-FROM statement are not permitted   So      How do I set the X-Frame-Options  ALLOW-FROM to support more than a single domain    You can t  As a workaround you can use different URLs for different partners  For each URL you can use it s own X-Frame-Options value  For example   partner   iframe URL       ALLOW-FROM --------------------------------------- Facebook  fb yoursite com  facebook com VK COM    vk yoursite com  vk com   For yousite com you can just use X-Frame-Options  deny   BTW  for now Chrome  and all webkit-based browsers  does not support ALLOW-FROM statements at all

User · Answer

How about an approach that not only allows multiple domains  but allows dynamic domains   The use case here is with a Sharepoint app part which loads our site inside of Sharepoint via an iframe  The problem is that sharepoint has dynamic subdomains such as https   yoursite sharepoint com  So for IE  we need to specify ALLOW-FROM https    sharepoint com  Tricky business  but we can get it done knowing two facts    When an iframe loads  it only validates the X-Frame-Options on the first request  Once the iframe is loaded  you can navigate within the iframe and the header isn t checked on subsequent requests  Also  when an iframe is loaded  the HTTP referer is the parent iframe url    You can leverage these two facts server side   In ruby  I m using the following code     uri   URI parse request referer    if uri host match    sharepoint  com        url    https     uri host       response headers  X-Frame-Options      ALLOW-FROM   url     end   Here we can dynamically allow domains based upon the parent domain  In this case  we ensure that the host ends in sharepoint com keeping our site safe from clickjacking   I d love to hear feedback on this approach

User · Answer

Strictly speaking no  you cant   You can however specify X-Frame-Options  mysite com and therefore allow subdomain1 mysite com and subdomain2 mysite com  But yes  that s still one domain  There happens to be some workaround for this  but I think it s easiest to read that directly at the RFC specs  https   tools ietf org html rfc7034  It s also worth to point out that the Content-Security-Policy  CSP  header s frame-ancestor directive obsoletes X-Frame-Options  Read more here

User · Answer

Not exactly the same  but could work for some cases  there is another option ALLOWALL which will effectively remove the restriction  which might be a nice thing for testing pre-production environments

User · Answer

I had to add X-Frame-Options for IE and Content-Security-Policy for other browsers  So i did something like following   if allowed domains present    request host   URI parse request referer     domain   allowed domains split      include  request host host       request host scheme      request host host     app host   response headers  Content-Security-Policy      frame-ancestors    domain     response headers  X-Frame-Options      ALLOW-FROM    domain   else   response headers except   X-Frame-Options  end

[asp.net] X-Frame-Options Allow-From multiple domains

Examples related to asp.net

Examples related to security

Examples related to iis-7

Examples related to header

Examples related to internet-explorer-9