We are building a ASP.NET website and want to allow only some domains who can iFrame our website. CSP is not supported in internet explorer. I am setting something like
Response.AddHeader("Content-Security-Policy", "frame-ancestors mydomain1.com mydomain2.com").
How is everyone handling for internet explorer. I read IE supports X-Content-Security-Policy but it doesn't has frame-ancestors.
Also I am removing the default X-Frame-Options header added by IIS by doing
Response.Headers.Remove("X-Frame-Options")
The solution recommended by Microsoft is the following:
- internally, whitelist domain1.com and domain2.com
- when embedding your iframe URL, add a parameter in the URL that specify the origin: iframe src="http://example.org/frame.html?origin=http://domain1.com"
- on your server, check if the origin value is whitelisted. Use it to set X-Frame-Options: ALLOW-FROM http://domain1.com
You could also check the Referer header if it is present.
X-Frame-Options is being superceded by Content-Security-Policy, but as you say, not all browsers fully support Content-Security-Policy yet.
You say you're intentionally removing X-Frame-Options, but you shouldn't. That is supported by Internet Explorer, so if you use it in addition to Content-Security-Policy, you will get the same effect across a wider range of browsers.
See X-Frame-Options documentation here, which includes a mention of IE support:
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
Internet Explorer 8 through 11 only supports X-Frame-Options, and you can use the ALLOW-FROM value. Specify the URLs for your iframes there.
Please keep in mind only the latest Internet Explorer browsers support X-Content-Security-Policy.
X-Content-Security-Policy works for IE, test the browsers for csp support using https://content-security-policy.com/browser-test/
Snippet in express would look like:
function applyCSPforIE(req, res, next) {
res.setHeader('X-Content-Security-Policy', 'frame-ancestors \'self\' http://whatever.com/');
next();
}
you could use both together and it works but there's a warning about it at this article.
The following apache configuration works for me in all major browsers (April 2018):
<IfModule mod_headers.c>
Header set Content-Security-Policy "frame-ancestors http://*.example.com/ 'self';"
# For IE 11 and below
Header set X-Frame-Options SAMEORIGIN
Header append X-Frame-Options "ALLOW-FROM http://example.com/" </IfModule>
