I just tried (on test server) setting the Content Security Policy - but still no success (it isn't recognized)

I'm still getting "Refused to display 'http://healthtest.co.santa-cruz.ca.us/' in a frame because it set 'X-Frame-Options' to 'sameorigin'." error , event though I've removed X-FrameContent setting from both servers (and checked the Http Response Headers in IIS to make sure they weren't there.

It seems like the server / site being pulled up in the iFrame is somehow setting the X-Frame -Options even though I don't have that Http Response Header set there.

-Tom

Browsercache?

Anyway, you have to remove the X-FRAME-OPTIONS header from the server that delivers the content, not the server that displays the IFrames.

Happy DNNing!
Michael

Thanks - no, browser cache is not the issue.
Clearly, X-Frame-Options is set to 'SAMEORIGIN' on the server delivering the content. I can see that when I look at the site itself in Chrome Developer Tools (Headers). And I see it when I look in the Dev tools console, on the page when the iFrame fails to display the content.

But I did not set it in web.config. (In fact, I tried a [remove name="X-Frame-Options"] tag into the web,config there to no avail). I also don't see it in IIS under HttpResponseHeaders for that site.

Do you have any other idea where the X-Frame-Options="SAMEORIGIN" is being set?

Thanks
Tom

Posted By Tom Melkonian on 07 Nov 2019 12:21 PM
Do you have any other idea where the X-Frame-Options="SAMEORIGIN" is being set?

Thanks
Tom

Tom,

either in the web.config or maybe in the machine.config.

Check your web.config for the following line in the configuration >> system.webServer >> httpProtocol >> customHeaders section (think of angle brackets instead of square brackets):

   [add name="X-Frame-Options" value="SAMEORIGIN" /]

and remove that line.

If that does not help or if you don't find that line, add this line (in the same section as above):

   [remove name="X-Frame-Options" /]

Happy DNNing!
Michael

Thanks Michael - I have tried this already -

I just now tried:
[remove name="X-Frame-Options" /]
[add name="X-Frame-Options" value="ALLOW-FROM http://testportal.co.santa-cruz.ca.us" /]

and I get:

Refused to display 'http://healthtest.co.santa-cruz.ca.us/' in a frame because it set multiple 'X-Frame-Options' headers with conflicting values ('SAMEORIGIN, ALLOW-FROM http://testportal.co.santa-cruz.ca.us'). Falling back to 'deny'.

So It doesn't look like I can unset the X-Frame-Options - SAMEORIGIN setting which is set somewhere. Just can't figure out where this is getting set!

Tom,

could it be a WAF?

Happy DNNing!
Michael

Thanks - I 'm going to look into that possibility.

Tom,

if you have a WAF, the propabilty is high that it comes from there. I just did not think of that as it is not widely used yet. Afaik you can set different options there depending on the IP address (range) - therefore you can set no header for your internal network and deny from everything else. But this is propably also depending on the WAF you use.

Anyway, let me know if that helped...

Happy DNNing!
Michael

Posted By Tom Melkonian on 08 Nov 2019 01:10 PM

Refused to display 'http://healthtest.co.santa-cruz.ca.us/' in a frame because it set multiple 'X-Frame-Options' headers with conflicting values ('SAMEORIGIN, ALLOW-FROM http://testportal.co.santa-cruz.ca.us'). Falling back to 'deny'.

This suggests it's being added after the 'http://healthtest.co.sant...s/' website has finished doing its thing. I'd agree with Michael's suggestion — a WAF or some other network security software would be a good place to look.

 

 

I don't see anything indicating a firewall setting. Do you know how I would look for that setting? Would I be looking in IIS?

There seems to be the possibility that the setting is coming from a module that was recently upgraded (on both production and test servers) . Someone on the DNN Connect group said they had a similar occurance. so we're looking into that possibility.

Tom