deny iFrame use to prevent clickjacking for most of my pages, but allow some pages to be iFrames

Question

User-1437207710 posted

Hi.  I haven't been able to find a solution for how to have most of my webpages set to deny being used for iFrames in other domains BUT allow of a few of them to be used as iFrames in other domains.  So to deny iFrames I added <httpProtocal> <customHeaders> <add name="X-Frame-Options" value="Deny" > to my web.config AND then for the pages that I do want to allow to be used as iFrames in other domains I added this to my global.asax:

 Protected Sub Application_PreSendRequestHeaders(sender As Object, e As EventArgs)

Dim my_url As String = Request.Url.AbsoluteUri
If my_url.IndexOf("xxxxxx.aspx") <> -1 Then
HttpContext.Current.Response.Headers.Remove("X-Frame-Options")
End If

end sub   … where xxxx.aspx is the name of the page that I do want to be allowed to be an iFrame in another domain 

  I was hopeful when testing it using local host … the remove code was hit when I loaded the xxxxx.aspx page 

  but when I moved the updated web.config and global.asax page to live it didn't work - when I went to a domain that does load my page as an Iframe it displayed an error that the iFrame couldn't be loaded.

Can anyone suggest how I can get this to work?  Block iFrames for most pages but allow it for a few.  

    thanks!

    Art 

Answer 1

User1724605321 posted

Hi artdunham,

I test the feature and it works on my side , in another application load my application's page in iframe , the difference is i changed to :

  Protected Sub Application_PreSendRequestHeaders(sender As Object, e As EventArgs)

        Dim my_url As String = Request.Url.AbsoluteUri

        If my_url.IndexOf("WebForm3") = -1 Then

            HttpContext.Current.Response.Headers.Add("X-Frame-Options", "Deny")

        End If

    End Sub

I would suggest you could debug your application in local IIS in VS , and troubleshoot the request/response , Request.Url.AbsoluteUri ....

Best Regards,

Nan Yu