SyntaxFix

[asp.net] How Can I Bypass the X-Frame-Options: SAMEORIGIN HTTP Header?

I am developing a web page that needs to display, in an iframe, a report served by another company's SharePoint server. They are fine with this.

The page we're trying to render in the iframe is giving us X-Frame-Options: SAMEORIGIN which causes the browser (at least IE8) to refuse to render the content in a frame.

First, is this something they can control or is it something SharePoint just does by default? If I ask them to turn this off, could they even do it?

Second, can I do something to tell the browser to ignore this http header and just render the frame?

This question is related to asp.net sharepoint http x-frame-options

The answer is

Yes Fiddler is an option for me:

  1. Open Fiddler menu > Rules > Customize Rules (this effectively edits CustomRules.js).
  2. Find the function OnBeforeResponse

  3. Add the following lines:

    oSession.oResponse.headers.Remove("X-Frame-Options");
oSession.oResponse.headers.Add("Access-Control-Allow-Origin", "*");
  4. Remember to save the script!

As for second question - you can use Fiddler filters to set response X-Frame-Options header manually to something like ALLOW-FROM *. But, of course, this trick will work only for you - other users still won't be able to see iframe content(if they not do the same).

The X-Frame-Options header is a security feature enforced at the browser level.

If you have control over your user base (IT dept for corp app), you could try something like a greasemonkey script (if you can a) deploy greasemonkey across everyone and b) deploy your script in a shared way)...

Alternatively, you can proxy their result. Create an endpoint on your server, and have that endpoint open a connection to the target endpoint, and simply funnel traffic backwards.

UPDATE: 2019-12-30

It seem that this tool is no longer working! [Request for update!]

UPDATE 2019-01-06: You can bypass X-Frame-Options in an <iframe> using my X-Frame-Bypass Web Component. It extends the IFrame element by using multiple CORS proxies and it was tested in the latest Firefox and Chrome.

You can use it as follows:

  1. (Optional) Include the Custom Elements with Built-in Extends polyfill for Safari:

    <script src="https://unpkg.com/@ungap/custom-elements-builtin"></script>

  2. Include the X-Frame-Bypass JS module:

    <script type="module" src="x-frame-bypass.js"></script>

  3. Insert the X-Frame-Bypass Custom Element:

    <iframe is="x-frame-bypass" src="https://example.org/"></iframe>

Source: Stackoverflow.com

Examples related to asp.net

RegisterStartupScript from code behind not working when Update Panel is used You must add a reference to assembly 'netstandard, Version=2.0.0.0 No authenticationScheme was specified, and there was no DefaultChallengeScheme found with default authentification and custom authorization How to use log4net in Asp.net core 2.0 Visual Studio 2017 error: Unable to start program, An operation is not legal in the current state How to create roles in ASP.NET Core and assign them to users? How to handle Uncaught (in promise) DOMException: The play() request was interrupted by a call to pause() ASP.NET Core Web API Authentication Could not load file or assembly 'CrystalDecisions.ReportAppServer.CommLayer, Version=13.0.2000.0 WebForms UnobtrusiveValidationMode requires a ScriptResourceMapping for jquery

Examples related to sharepoint

SharePoint 2013 get current user using JavaScript "Object doesn't support this property or method" error in IE11 How to open SharePoint files in Chrome/Firefox Powershell Error "The term 'Get-SPWeb' is not recognized as the name of a cmdlet, function..." Error :The remote server returned an error: (401) Unauthorized Best way to resolve file path too long exception Could not load file or assembly '' or one of its dependencies Reasons for a 409/Conflict HTTP error when uploading a file to sharepoint using a .NET WebRequest? CAML query with nested ANDs and ORs for multiple fields How to pass credentials to httpwebrequest for accessing SharePoint Library

Examples related to http

Access blocked by CORS policy: Response to preflight request doesn't pass access control check Axios Delete request with body and headers? Read response headers from API response - Angular 5 + TypeScript Android 8: Cleartext HTTP traffic not permitted Angular 4 HttpClient Query Parameters Load json from local file with http.get() in angular 2 Angular 2: How to access an HTTP response body? What is HTTP "Host" header? Golang read request body Angular 2 - Checking for server errors from subscribe

Examples related to x-frame-options

How to disable 'X-Frame-Options' response header in Spring Security? How to set 'X-Frame-Options' on iframe? X-Frame-Options on apache X-Frame-Options: ALLOW-FROM in firefox and chrome Overcoming "Display forbidden by X-Frame-Options" How Can I Bypass the X-Frame-Options: SAMEORIGIN HTTP Header?

Tags

Talend C++-cli Svn-client Ado.net Montage Language-enhancement Jarjar Sizing Carchive Formatter Wlanapi Superset Srgb Query-hints Shaped-window Platform-builder Android-asynctask App-offline.htm Language-theory Servercontrols Fastinfoset Group-summaries Uipickerview Target-audience Fuzzing Pdfptable Startup-error Vector-processing Logic-programming Anonymous Scanline Cronexpression Android-input-method Pidgin Dayofweek Dbpedia Grant Peer Setorientation Morphic Autodie Idref Cgihttprequesthandler Spread Sitedirectory Shadows Coordinates Mapreduce Pycairo Input-field Toolstripdropdown Windows-server Back-button-control Singly-linked-list Data-quality Compiler-warnings Coin-flipping Cascadingdropdown Cfsearch Tframe Mouse-position Lex Linq-to-lucene Portable-database Bulk-mail 3dsmax Auto-close Google-suggest Video-watermarking Nvidia Django-filebrowser Cfnetwork Firstdata Libssh Kvm Superscript First-responder Moles Svn-switch Iso8601 Assemblyfileversion Http-post-vars Sourcegear-vault Object-layout Jqtransform Web-frontend Vmt Qtableview Tablerowsorter Luaj Line Autoload Fileapi Rocks Temporaries Unrealscript Vb.net-to-c# Google-style-guide All-files Robotlegs