How Can I Bypass the X-Frame-Options SAMEORIGIN HTTP Header

Question

I am developing a web page that needs to display  in an iframe  a report served by another company s SharePoint server  They are fine with this    The page we re trying to render in the iframe is giving us X-Frame-Options  SAMEORIGIN which causes the browser  at least IE8  to refuse to render the content in a frame    First  is this something they can control or is it something SharePoint just does by default  If I ask them to turn this off  could they even do it    Second  can I do something to tell the browser to ignore this http header and just render the frame

User · Answer

As for second question - you can use Fiddler filters to set response X-Frame-Options header manually to something like ALLOW-FROM    But  of course  this trick will work only for you - other users still won t be able to see iframe content if they not do the same

User · Answer

Yes Fiddler is an option for me    Open Fiddler menu   Rules   Customize Rules  this effectively edits CustomRules js   Find the function OnBeforeResponse Add the following lines   oSession oResponse headers Remove  X-Frame-Options    oSession oResponse headers Add  Access-Control-Allow-Origin          Remember to save the script

User · Answer

The X-Frame-Options header is a security feature enforced at the browser level   If you have control over your user base  IT dept for corp app   you could try something like a greasemonkey script  if you can a  deploy greasemonkey across everyone and b  deploy your script in a shared way      Alternatively  you can proxy their result   Create an endpoint on your server  and have that endpoint open a connection to the target endpoint  and simply funnel traffic backwards

User · Answer

If the 2nd company is happy for you to access their content in an IFrame then they need to take the restriction off - they can do this fairly easily in the IIS config    There s nothing you can do to circumvent it and anything that does work should get patched quickly in a security hotfix  You can t tell the browser to just render the frame if the source content header says not allowed in frames  That would make it easier for session hijacking   If the content is GET only you don t post data back then you could get the page server side and proxy the content without the header  but then any post back should get invalidated

User · Answer

UPDATE  2019-12-30       It seem that this tool is no longer working   Request for update      UPDATE 2019-01-06  You can bypass X-Frame-Options in an  lt iframe gt  using my X-Frame-Bypass Web Component  It extends the IFrame element by using multiple CORS proxies and it was tested in the latest Firefox and Chrome   You can use it as follows     Optional  Include the Custom Elements with Built-in Extends polyfill for Safari    lt script src  https   unpkg com  ungap custom-elements-builtin  gt  lt  script gt   Include the X-Frame-Bypass JS module    lt script type  module  src  x-frame-bypass js  gt  lt  script gt   Insert the X-Frame-Bypass Custom Element    lt iframe is  x-frame-bypass  src  https   example org   gt  lt  iframe gt

[asp.net] How Can I Bypass the X-Frame-Options: SAMEORIGIN HTTP Header?

Examples related to asp.net

Examples related to sharepoint

Examples related to http

Examples related to x-frame-options