Internet Explorer X-Frame-Options ALLOW-FROM not working in IE 11 and Edge

html internet-explorer iframe xss x-frame-options

12,328

IE 11 not following standard, which means can not use "*", so have to give domain name with http/https.

  def cors_set_access_control_headers
    headers["Access-Control-Allow-Origin"] = "*"
    headers["Access-Control-Allow-Methods"] = "GET"
    headers["Access-Control-Request-Method"] = "*"
    headers["Access-Control-Allow-Headers"] = "Origin, X-Requested-With, Content-Type, Accept, Authorization"
    headers["X-Frame-Options"] = "ALLOW-FROM http://172.16.1.159"
    headers["X-XSS-Protection"] = "0"
  end

12,328

Author by

Admin

Updated on June 28, 2022

Comments

Admin almost 2 years

I am having an issue using X-Frame-Options to embed one site as an iFrame into another (different domains) with IE 11 and Edge. My research and experience indicate that IE doesn't yet support CSP Level 2 frame-ancestors, so I must use X-Frame-Options.

I have added the response header X-Frame-Options: ALLOW-FROM https://<mysite>.com to the site that needs to be embedded.

These are secured sites so I am unable to provide real URLs to this community.

When I launch the main site, which contains an iFrame with content from the second site, I am able to see the X-Frame-Options header in the response for the iframe content and it looks to be applied correctly. However, IE indicates "...modified this page to help prevent cross-site scripting" and my frame contains only the # symbol.

Due to timing and internal IT delays, I am unable to have both sites hosted in the same domain.

Can anyone help to explain what I did wrong in implementing X-Frame-Options or if there is another option to achieve the desired effect?