Tracking down X-Frame-Options header

2019-08-30 10:31发布

问题:

We've partnered with a company whose website will display our content in an IFRAME. I understand what the header is and what it does and why, what I need help with is tracking down where it's coming from!

Windows Server 2003/IIS6 Container page: https://testDomain.com/test.asp IFRAME Content: https://ourDomain.com/index.asp?lots_of_parameters,_wheeeee

Testing in Firefox 24 with Firebug installed. (IE and Chrome do the same thing.) Also running Fiddler so I can watch network traffic while I'm at it.

For simplicity's sake, I created a page with nothing on it but the IFRAME in question - same physical server, different domain/site - and it failed with

Load denied by X-Frame-Options: https://www.google.com/ does not permit cross-origin framing.

(That's in the Firebug console.) I'm confused because:

  1. Google is not referenced anywhere in the containing app, or in the IFRAMEd app. All javascript libraries are kept locally; there is no analytics in the app. No Google, nowhere.

  2. The containing page has NOTHING on it, except the IFRAME. No html tags, no head tag, no body tag. IFRAME. That's it.

  3. The X-FRAME-OPTIONS header does not exist in IIS on the server: not at the "Websites" node, not in the individual sites.

So where the h-e-double-sticks is that coming from? What am I missing?

Interesting point: if I remove http"S" from the IFRAME url, it works. Given the nature of the data, SSL is required.

回答1:

You might check global.asax.cs, the app could be adding the header to every response automatically. If you just search the app for "x-frame-options" you might find something also.