DNN Forums

Ask questions about your website to get help learning DNN and help resolve issues.

iFrames suddenly quit working

Sort:
You are not authorized to post a reply.
Page 1 of 3123 > >>





Advanced Member





    Hi -

    I just had our intranet site suddenly stop displaying content from our internet site through iFrames. Both sites are DNN.

    The intranet site (which has the iFrames) web.config does have an tag with X-Frame Options set to "Same Origin"  - but this hasn't been changed any time recently. However, the iFrames were working up until last week and suddenly stopped. I cant tell why this has changed.

    The internet site (which contains the content referenced in the iFrames) doesnt have any X-frame-options or CSP setting in it's web.config.

    There is one exception (an iFrame which is still working) . In this case, the iFrame is pulling in content from a page which is not in DNN. It's on the same IIS website, but displaying straight html content (through a virtual directory). This is the only iFrame which is still working. All the iFrames which pull in content from DNN internet website have stopped working.

    Any insight into why this is happening?

    Thanks

    Tom






    Veteran Member





      As "suddenly" usually means "after a change" ... was there a change to the site.. Any idea what changed?
      Joe Craig
      DNN MVP
      Patapsco Research Group





      Advanced Member





        Thanks for your reply - I am trying to find what might have changed, but I don't see anything that seems relevant.

        Do you know if there is anything I should be looking for in the web.config or elsewhere?

        I see "Refused to display 'https://www.santacruzcounty.us/' in a frame because it set 'X-Frame-Options' to 'sameorigin'."
        in the Console which tells me the references (internet) site has a setting somewhere for x-frame origins. It's not in the web.config or in IIS (that I can see).
        Do you know where else I could look?

        Thanks

        Tom





        Veteran Member





          From: https://stackoverflow.com...ions-to-sameori?rq=1

          You cannot display a lot of websites inside an iFrame. Reason being that they send an "X-Frame-Options: SAMEORIGIN" response header. This option prevents the browser from displaying iFrames that are not hosted on the same domain as the parent page. This is a security feature to prevent click-jacking. Some details at How to show google.com in an iframThate?

          That last sentence points to:  https://stackoverflow.com...gle-com-in-an-iframe

           

          It seems like the change you are looking for occured on the source of what you want to iframe ...

          Joe Craig
          DNN MVP
          Patapsco Research Group





          Advanced Member





            Thanks, Joe - I saw that too.

            Do you know where I would look on the source of the reference site to find where the 'X-frame-options" is being set?

            Tom





            Veteran Member





              No. But, you might use Fiddler to see what your site is sending to request the data.

              Do you control that site?
              Joe Craig
              DNN MVP
              Patapsco Research Group





              Veteran Member





                Posted By Tom Melkonian on 04 Nov 2019 02:30 PM
                Thanks, Joe - I saw that too.

                Do you know where I would look on the source of the reference site to find where the 'X-frame-options" is being set?

                Tom

                Tom,

                that is set on the web server that hosts the site. If you have control over it, you might use a CSP instead of the X-Frame-Options to allow your site to display it. See here for details.

                If not I guess chances are low to get the page in an IFrame. You could provide a link instead to open the page in a new window - or a JavaScript to do that automatically.

                Happy DNNing!
                Michael

                Michael Tobisch
                DNN★MVP

                dnnWerk Austria
                DNN Connect





                Advanced Member





                  Thanks Michael - Just to be clear - do you mean the web server of the site with the iFrames, or the web server of the content being pulled up by the iFrames?

                  I have access to both. It's an intranet site with iFrames trying to pull up content from our internet site. The weird thing is that it stopped working but it doesn't look like anything changed on the site /server.

                  Another weird thing is that there is one iFrame that is still working - It's pulling content from the same webserver / website, but just some straight html in a folder (not inside DNN) Which is what makes me think the problem is inside DNN somehow.

                  -Tom

                   






                  Veteran Member





                    Tom,

                    I was talking about the web server of the content being pulled up by the iFrames.

                    If using the HTTP response header (X-FRAME-OPTIONS), you have either the possibility to remove it - then all other websites can display the content in an IFrame. If it is an intranet server, it should not be too much risk. Or you can use the ALLOW-FROM option and define the webserver with the IFrames there. The disadvantage of the header is that you may only define one allowed source.

                    If you need to allow more sources you have to define a CSP on the server containing the content displayed in the IFrames.

                    To understand this setting - or the risk when it is not set - I recommend watching my video about clickjacking: https://www.youtube.com/watch?v=C70VPgkV6gk

                    Happy DNNing!
                    Michael

                    Michael Tobisch
                    DNN★MVP

                    dnnWerk Austria
                    DNN Connect





                    Advanced Member





                      Thanks Michael -

                      I actually did remove the custom header (X-Frame-Options) setting from the intranet site, and the iFrames still don't show.

                      So, neither of the sites have the X-Frame-Options setting in their web.config, but the iFrames still don't work.

                      -Tom

                      You are not authorized to post a reply.
                      Page 1 of 3123 > >>

                      These Forums are dedicated to the discussion of DNN Platform.

                      For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

                      1. If you have (suspected) security issues, please DO NOT post them in the forums but instead follow the official DNN security policy
                      2. No Advertising. This includes the promotion of commercial and non-commercial products or services which are not directly related to DNN.
                      3. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
                      4. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
                      5. No Flaming or Trolling.
                      6. No Profanity, Racism, or Prejudice.
                      7. Site Moderators have the final word on approving / removing a thread or post or comment.
                      8. English language posting only, please.

                      Would you like to help us?

                      Awesome! Simply post in the forums using the link below and we'll get you started.

                      Get Involved