{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 可以哭但决不认输i 的问题《X-Frame-Options Allow-From multiple domains》','https://www.manongdao.com/q-56868.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have an asp.net 4.0 IIS7.5 site which I need secured using the x-frame headers option
I also need to enable my site pages to be iframed from my same domain as well as from my facebook app.
Currently I have my site configured with a site headed of:
Response.Headers.Add("X-Frame-Options", "ALLOW-FROM SAMEDOMAIN, www.facebook.com/MyFBSite")
When I viewed my Facebook page with Chrome or FireFox my sites pages (being iframed with my facebook page) are display ok, but under IE9, I get the error
"this page cannot be displayed…" (because of the
X-Frame_Optionsrestriction).
How do I set the X-Frame-Options: ALLOW-FROM to support more than a single domain?
X-FRAME-OPTION being a new feature seems fundamentally flawed if only a single domain can be defined.
As per the MDN Specifications,
X-Frame-Options: ALLOW-FROMis not supported in Chrome and support is unknown in Edge and Opera.Content-Security-Policy: frame-ancestorsoverridesX-Frame-Options(as per this W3 spec), butframe-ancestorshas limited compatibility. As per these MDN Specs, it's not supported in IE or Edge.Not exactly the same, but could work for some cases: there is another option
ALLOWALLwhich will effectively remove the restriction, which might be a nice thing for testing/pre-production environmentsOne possible workaround would be using a "frame-breaker" script as described here
You just need to alter the "if" statement to check for your allowed domains.
This workaround would be safe, I think. because with javascript not enabled you will have no security concern about a malicious website framing your page.