0

For my site I see that among response headers there is X-Frame-Options: SAMEORIGIN. Still I can preview my site in iframe of some different site, for instance here. But I expected not to. I assume that this is back-end work to add some more setting that would prevent the site from rendering in iframe? I thought that if it returns the above header the security functionality preventing showing site in iframe is already in place. Isn't it?

UPDATE: It's my fault I didn't specify that this header is returned for each xhr but there is no such header for static resources (html, js, css, images). Might that be a reason?

UPDATE2: I've asked BE guys to provide the header for static resources too. After implementation I'll share whether it helps or not.

Improve this question
12
  • it should be working. What browser are you using? Commented Dec 27, 2016 at 17:40
  • Your link is just a default w3schools demo. Perhaps you mean to show us different code? Commented Dec 27, 2016 at 17:53
  • @AlexanderO'Mara, no I didint mean to show something different, I just inserted my site link into iframe src attribute in this tutorial for testing purpose Commented Dec 27, 2016 at 18:06
  • @tim it was Chrome Version 55.0.2883.87, also checked in Firefox Version 50.1.0. I thought that its server that is responsible for serving content or not Commented Dec 27, 2016 at 18:10
  • 2
    The server doesn't know whether the page is being requested in an iframe, so it will send the response and the browser checks the headers to see if it's allowed. Commented Dec 27, 2016 at 18:50

1 Answer 1

Reset to default
1

I asked that the URL be posted so more eyes can examine the header.

If that can't be done, check the following by looking at the header as your browser sees it in the developer tools.

If this header is set more than once, it can cause the directive to fail because the browser will condense multiple instances of the same header into one so that it becomes:

X-Frame-Options: SAMEORIGIN,SAMEORIGIN

and this value is not one of the three allowed so the header will be ignored.

For example, if your web server sets it and then code in the application sets it again, it will happen.

source: https://blog.qualys.com/securitylabs/2015/10/20/clickjacking-a-common-implementation-mistake-that-can-put-your-websites-in-danger

Improve this answer
1
  • I have a site where this header (with same value) is set twice - looks just like the 'condensed' example (SAMEORIGIN,SAMEORIGIN) and it still works properly in the two browsers I have tested. Commented Dec 28, 2016 at 15:52

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.