Hi -
I just had our intranet site suddenly stop displaying content from our internet site through iFrames. Both sites are DNN.
The intranet site (which has the iFrames) web.config does have an tag with X-Frame Options set to "Same Origin" - but this hasn't been changed any time recently. However, the iFrames were working up until last week and suddenly stopped. I cant tell why this has changed.
The internet site (which contains the content referenced in the iFrames) doesnt have any X-frame-options or CSP setting in it's web.config.
There is one exception (an iFrame which is still working) . In this case, the iFrame is pulling in content from a page which is not in DNN. It's on the same IIS website, but displaying straight html content (through a virtual directory). This is the only iFrame which is still working. All the iFrames which pull in content from DNN internet website have stopped working.
Any insight into why this is happening?
Thanks
Tom
From: https://stackoverflow.com...ions-to-sameori?rq=1
You cannot display a lot of websites inside an iFrame. Reason being that they send an "X-Frame-Options: SAMEORIGIN" response header. This option prevents the browser from displaying iFrames that are not hosted on the same domain as the parent page. This is a security feature to prevent click-jacking. Some details at How to show google.com in an iframThate?
That last sentence points to: https://stackoverflow.com...gle-com-in-an-iframe
It seems like the change you are looking for occured on the source of what you want to iframe ...
Posted By Tom Melkonian on 04 Nov 2019 02:30 PM Thanks, Joe - I saw that too. Do you know where I would look on the source of the reference site to find where the 'X-frame-options" is being set? Tom
Tom,
that is set on the web server that hosts the site. If you have control over it, you might use a CSP instead of the X-Frame-Options to allow your site to display it. See here for details.
If not I guess chances are low to get the page in an IFrame. You could provide a link instead to open the page in a new window - or a JavaScript to do that automatically.
Happy DNNing! Michael
Michael TobischDNN★MVP
Thanks Michael - Just to be clear - do you mean the web server of the site with the iFrames, or the web server of the content being pulled up by the iFrames?
I have access to both. It's an intranet site with iFrames trying to pull up content from our internet site. The weird thing is that it stopped working but it doesn't look like anything changed on the site /server.
Another weird thing is that there is one iFrame that is still working - It's pulling content from the same webserver / website, but just some straight html in a folder (not inside DNN) Which is what makes me think the problem is inside DNN somehow.
-Tom
Tom, I was talking about the web server of the content being pulled up by the iFrames. If using the HTTP response header (X-FRAME-OPTIONS), you have either the possibility to remove it - then all other websites can display the content in an IFrame. If it is an intranet server, it should not be too much risk. Or you can use the ALLOW-FROM option and define the webserver with the IFrames there. The disadvantage of the header is that you may only define one allowed source. If you need to allow more sources you have to define a CSP on the server containing the content displayed in the IFrames. To understand this setting - or the risk when it is not set - I recommend watching my video about clickjacking: https://www.youtube.com/watch?v=C70VPgkV6gk Happy DNNing! Michael
Thanks Michael -
I actually did remove the custom header (X-Frame-Options) setting from the intranet site, and the iFrames still don't show.
So, neither of the sites have the X-Frame-Options setting in their web.config, but the iFrames still don't work.
These Forums are dedicated to the discussion of DNN Platform.
For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:
Awesome! Simply post in the forums using the link below and we'll get you started.