DNN Forums

Ask questions about your website to get help learning DNN and help resolve issues.

iFrames suddenly quit working

 25 Replies
 2 Subscribed to this topic
 16 Subscribed to this forum
Sort:
Page 2 of 3 << < 123 > >>
Author
Messages
Advanced Member
Posts: 194
Advanced Member
    I just tried (on test server) setting the Content Security Policy - but still no success (it isn't recognized)

    I'm still getting "Refused to display 'http://healthtest.co.santa-cruz.ca.us/' in a frame because it set 'X-Frame-Options' to 'sameorigin'." error , event though I've removed X-FrameContent setting from both servers (and checked the Http Response Headers in IIS to make sure they weren't there.

    It seems like the server / site being pulled up in the iFrame is somehow setting the X-Frame -Options even though I don't have that Http Response Header set there.

    -Tom
    Veteran Member
    Posts: 1179
    Veteran Member
      Browsercache?

      Anyway, you have to remove the X-FRAME-OPTIONS header from the server that delivers the content, not the server that displays the IFrames.

      Happy DNNing!
      Michael

      Michael Tobisch
      DNN★MVP

      DNN Connect
      Advanced Member
      Posts: 194
      Advanced Member
        Thanks - no, browser cache is not the issue.
        Clearly, X-Frame-Options is set to 'SAMEORIGIN' on the server delivering the content. I can see that when I look at the site itself in Chrome Developer Tools (Headers). And I see it when I look in the Dev tools console, on the page when the iFrame fails to display the content.

        But I did not set it in web.config. (In fact, I tried a [remove name="X-Frame-Options"] tag into the web,config there to no avail). I also don't see it in IIS under HttpResponseHeaders for that site.

        Do you have any other idea where the X-Frame-Options="SAMEORIGIN" is being set?

        Thanks
        Tom
        Veteran Member
        Posts: 1179
        Veteran Member
          Posted By Tom Melkonian on 07 Nov 2019 12:21 PM
          Do you have any other idea where the X-Frame-Options="SAMEORIGIN" is being set?

          Thanks
          Tom

          Tom,

          either in the web.config or maybe in the machine.config.

          Check your web.config for the following line in the configuration >> system.webServer >> httpProtocol >> customHeaders section (think of angle brackets instead of square brackets):

             [add name="X-Frame-Options" value="SAMEORIGIN" /]

          and remove that line.

          If that does not help or if you don't find that line, add this line (in the same section as above):

             [remove name="X-Frame-Options" /]
          

          Happy DNNing!
          Michael

          Michael Tobisch
          DNN★MVP

          DNN Connect
          Advanced Member
          Posts: 194
          Advanced Member
            Thanks Michael - I have tried this already -

            I just now tried:
            [remove name="X-Frame-Options" /]
            [add name="X-Frame-Options" value="ALLOW-FROM http://testportal.co.santa-cruz.ca.us" /]

            and I get:

            Refused to display 'http://healthtest.co.santa-cruz.ca.us/' in a frame because it set multiple 'X-Frame-Options' headers with conflicting values ('SAMEORIGIN, ALLOW-FROM http://testportal.co.santa-cruz.ca.us'). Falling back to 'deny'.

            So It doesn't look like I can unset the X-Frame-Options - SAMEORIGIN setting which is set somewhere. Just can't figure out where this is getting set!

            Veteran Member
            Posts: 1179
            Veteran Member
              Tom,

              could it be a WAF?

              Happy DNNing!
              Michael

              Michael Tobisch
              DNN★MVP

              DNN Connect
              Advanced Member
              Posts: 194
              Advanced Member
                Thanks - I 'm going to look into that possibility.
                Veteran Member
                Posts: 1179
                Veteran Member
                  Tom,

                  if you have a WAF, the propabilty is high that it comes from there. I just did not think of that as it is not widely used yet. Afaik you can set different options there depending on the IP address (range) - therefore you can set no header for your internal network and deny from everything else. But this is propably also depending on the WAF you use.

                  Anyway, let me know if that helped...

                  Happy DNNing!
                  Michael

                  Michael Tobisch
                  DNN★MVP

                  DNN Connect
                  Growing Member
                  Posts: 52
                  Growing Member
                    Posted By Tom Melkonian on 08 Nov 2019 01:10 PM

                    Refused to display 'http://healthtest.co.santa-cruz.ca.us/' in a frame because it set multiple 'X-Frame-Options' headers with conflicting values ('SAMEORIGIN, ALLOW-FROM http://testportal.co.santa-cruz.ca.us'). Falling back to 'deny'.

                    This suggests it's being added after the 'http://healthtest.co.santa-cruz.ca.us/' website has finished doing its thing. I'd agree with Michael's suggestion — a WAF or some other network security software would be a good place to look.

                     

                     

                    Advanced Member
                    Posts: 194
                    Advanced Member
                      I don't see anything indicating a firewall setting. Do you know how I would look for that setting? Would I be looking in IIS?

                      There seems to be the possibility that the setting is coming from a module that was recently upgraded (on both production and test servers) . Someone on the DNN Connect group said they had a similar occurance. so we're looking into that possibility.

                      Tom

                      Page 2 of 3 << < 123 > >>

                      These Forums are dedicated to the discussion of DNN Platform.

                      For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

                      1. If you have (suspected) security issues, please DO NOT post them in the forums but instead follow the official DNN security policy
                      2. No Advertising. This includes the promotion of commercial and non-commercial products or services which are not directly related to DNN.
                      3. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
                      4. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
                      5. No Flaming or Trolling.
                      6. No Profanity, Racism, or Prejudice.
                      7. Site Moderators have the final word on approving / removing a thread or post or comment.
                      8. English language posting only, please.

                      Would you like to help us?

                      Awesome! Simply post in the forums using the link below and we'll get you started.

                      Get Involved