If others tries to iframe my site they get error "Refused to display in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'
". Do they have to change something, or I, or both?
I found there are options for X-Frame-Options :SAMEORIGIN,DENY,and allow only one site. Configuration :IIS8, ASP.NET MVC. Are there any global settings to allow others to iframe my site?
In your golbal.asax.cs set X-Frame-Options to AllowAll:
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Remove("X-Frame-Options");
Response.AddHeader("X-Frame-Options", "AllowAll");
}
Since your website is the frame target, you would make all the changes to your website. As you will see below, this is quite simple.
Option 1 - Modify your web application's web.config file
Remove the X-Frame-Options custom header
Before:
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="AllowAll" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
After
<system.webServer>
...
<httpProtocol>
<customHeaders/>
</httpProtocol>
...
</system.webServer>
Option 2 - Log onto the web server and access IIS Manager
Open Internet Information Services (IIS) Manager.
In the Connections pane on the left side, expand the Sites folder
and select the site that you want to protect.
Double-click the HTTP Response Headers icon in the feature list in
the middle.
Select X-Frame-Options from the list
In the Actions pane on the right side, click Remove.
Click OK to save your changes.
Related
Does anyone know how to get Acumatica screens to be embedded in an iFrame in a wordpress site? When embedding an Acumatica screen in wordpress - I see the login screen however - after successful login I receive a refused to connect error.
I tried modifying the X-Frame in the web.config file - however still no difference after login. Does anyone know what changes need to be made on the Acumatica site to allow this? Or is it possibly a change that needs to happen in wordpress?
I realize that we should look at integrating the SSO but conceptually would think that the iFrames would work with or without SSO being setup yet or am I wrong in that assumption?
the answer provided by Hugues is very valid, but in the scope of Same Site Cookies.
With iFrame you would generally get following exception:
The loading of “https://yoursite.acumatica.com/Main?HideScript=On” in a frame is denied by “X-Frame-Options“ directive set to “SAMEORIGIN“.
For a while solution was to add an explicit header X-Frame-Options and in ALLOW-FROM specify an uri to the site you would like to allow to open Acumatica in iFrame, this however is now outdated: X-Frame-Options
Currently suggested way would be to use frame-ancestors directive of the Content-Security-Policy (frame-ancestors)
For applications that run on IIS, like Acumatica, it is done by finding in web.config
<httpProtocol>
<customHeaders>
...
And modify and add to this clause line like following example:
<add name="Content-Security-Policy" value="frame-ancestors 'self' https://my.site1.com *.site2.net http://localhost:82" />
This is just a syntax example that will allow the Acumatica to be open in iFrame on same domain, on my.site1.com, wildcard for all subdomains on site2.net and on even on the site deployed locally on the server that listens 82 port. Please use last one (http://localhost:82) only for testing purposes.
So the end result in your web.config should look similar to that block (based on SalesDemo deployment):
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<add name="Content-Security-Policy" value="frame-ancestors 'self' https://yourWordPressUri" />
</customHeaders>
</httpProtocol>
Hope this is helping
I believe you are running into a same-site cookie policy error. If the issue was cross site scripting error you wouldn't see the login page.
Same site cookie policy can be disabled in the web config file:
https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite#using-samesite-in-aspnet-472-and-48
Change the web.config file settings as follows:
Step 1: Open the web.config file, which is located in the application instance folder.
Step 2: Find the <system.web> section and add the following line to this section:
Note! The first occurrence of <system.web> located in the < location > tag is not the needed section.
Step 3: Add the text highlighted in bold to the following lines:
<formsAuth loginUrl="Frames/Login.aspx" timeout="60" requireSSL="true" />
<sessionState cookieSameSite="None" cookieless="UseCookies" mode="Custom" customProvider="PXSessionStateStore" timeout="60" sessionIDManagerType="PX.Owin.SessionIdManager, PX.Owin">
I have a MVC site that I want to load into Iframe. I have added the X-Frame-Options to AllowAll. When I try to load the site, I can see the html document in developer tools but the IFrame in the Page is blank.
I tried to create a web application on localohost with different port number and where I tried to load the MVC site in Iframe, it didnt work.
I tried to add a html in the same MVC site and loading itself in the html's Iframe (assuming port issue but still it will not load).
Any help will be appreciated.
I recently ran into a similar issue. The X-Frame-Options header did not work for me. I had to use the Content-Security-Policy header. In the web.config file, I set it to frame-src https://my-domain.com like this:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="frame-src {your domain here}" />
</customHeaders>
</httpProtocol>
</system.webServer>
The Issue:
We have a .aspx aka WebForms page that enables users to download the displayed report as an MS-Excel download. This page is served as part of a web-application as well as inside a browser frame (ieframe) in a Desktop app.
The download works fine over HTTP on all browsers as well as inside the browser frame
When we switch to HTTPS (in the production environment) the download refuses to work
This SO Question details the problem and the cause in detail.
As the solution involved stripping off Cache-control: no-cache and Pragma: no-cache, I wrote an Http module to achieve this.
The Proposed Solution:
The HttpModule is basically doing this using the PreSendRequestHeaders event:
private void OnPreSendRequestHeaders(object sender, EventArgs e)
{
if (null == _httpApplication)
{
return;
}
if (_httpApplication.Context != null)
{
var response = _httpApplication.Response;
if (_httpApplication.Request.Url.AbsoluteUri.ToLowerInvariant().Contains("mypage.aspx"))
{
HeadersToCloak.ForEach(header => response.Headers.Remove(header));
response.Headers.Add("Cache-Control", "private, max-age=15");
}
}
}
The bone-of-contention:
During code-review, I've been told that this would not be a good solution as my custom module would run for all requests and would thus have performance implications.
The web.config for the application has runAllManagedModulesForAllRequests="true" under system.webServer node and this is required for other functionality required by the application.
What I have tried:
Tried placing the code to remove and add header on the ASPX page itself inside several events (one-by-one) including RenderComplete but when I examine the response in Fiddler, the troublesome headers are still there (not replaced with intended headers)
I've looked up the preCondition tag as explained HERE but since we run under integrated pipeline mode and have runAllManagedModulesForAllRequests="true", the preCondition would be meaningless
Questions requiring help:
Q1) Given that the module will run for all requests including static files and that I'm doing actual work only if the requested URI is for the page in question, how much of a performance impact does running this module have?
Q2) How can I otherwise remove and set headers only for one page?
Q3) Given the constraints, is it possible to only run this module for managed requests only or for my page only (don't think the latter is possible)?
The solution agreed upon is as follows:
1) Move the set of pages for which the functionality to strip-headers is required into their own separate folder under the root application
2) Place a web.config in this folder with the following settings under system.webServer:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<remove name="HeaderStripModule" />
<add name="HeaderStripModule" type="Com.Reports.HeaderStripModule" />
</modules>
</system.webServer>
In the root web.config, placed this setting:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<remove name="HeaderStripModule" />
</modules>
</system.webServer>
After these changes, I verfied through fiddler and found that the module (expectedly) only runs for the pages within the folder (which is set as an application under IIS).
According to Ultra-Fast ASP.NET: Chapter 3 - Caching:
Files that the browser retrieves from the server should be stored in
the browser’s cache as long as possible to help minimize server
round-trips.
But how does IIS know what a static content actually is and is not?
Is it just images, CSS, JS and not ASPX, ashx...?
Where can I see in IIS what is already considered to be static and what is not ?
What about the scenario where a page has been declared with <%# OutputCache header (without location)? Are the images, CSS and JS source files inside of it also being output cached with the same properties?
As a best practice, I should set one year into the future as the maximum expiration time. I should use that as the default for all static content on the site
So I did this :
But later, after pressing OK, I can't find any summary menu which shows me: to whom I already put a response header (in this case: the css folder).
Currently, in order to see that css folder has been applied with response headers - I have to go to the css folder again --> Http Response Header-->Set Common Headers --> and then I see it. It isn't written in the web.config.
But if I do it for a file (Login.aspx for example): I do see it in web.config:
<configuration>
<location path="Login.aspx">
<system.webServer>
<staticContent>
<clientCache cacheControlMode="UseExpires" cacheControlMaxAge="1.00:00:00" httpExpires="Fri, 15 Feb 2013 00:00:00 GMT" />
</staticContent>
</system.webServer>
</location>
</configuration>
I understand your situation. Sometime its confusing how IIS handles a file. Its also different for IIS 6 vs IIS 7 and different for Classic App Pools and Integrated mode app pools. My experience is mostly with Integrated App Pools on IIS 7.5, so thats the environment I can comment on most accurately.
First Question
But how does IIS knows what is actually a static content and what is
not?
Is it just images , css , js and not ASPX , ashx...?
Where can I see in the IIS what is already considered to be static and
what not ?
You can inspect the list of file handlers in IIS by navigating to your website and then click 'Handler Mappings'. By default these are inherited from the .Net base web.config which is in a different location depending on your .Net framework version.
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web.config
If a file being requested isn't already explicitly mapped to another handler it falls to a catch all handler (*) as the last option (System.Web.DefaultHttpHandler) which determines if it is a static file or a directory browsing request. So Static files are simply files not bound to another handler already. For example you'll see that *.aspx is already mapped to System.Web.UI.PageHandlerFactory prior to this default handler. So its going to be processed by that handler and not be considered a static file. If you removed that mapping you could technically serve *.aspx as a static file if you really wanted to (just for proof of how it works).
But you can also explicitly list a file type as a static file by adding an entry in your web.config's httpHandlers section mapping the file extensions to System.Web.StaticFileHandler in IIS. For example:
<configuration>
<system.webServer>
<handlers>
<add name="StaticHandler" verb="*" path="*.zip" type="System.Web.StaticFileHandler" preCondition="integratedMode" />
</handlers>
</system.webServer>
</configuration>
This example is using the <system.webServer> config section, so its for an App Pool running in Integrated Mode.
Second Question
What about the scenario where a page has been declared with <%#
OutputCache header(without location) . does the images,css,js src
files inside of it , are also being output cached with the same
properties?
No. Because the page is being server as a separate request (maybe even by a separate handler) it can have totally different cache headers/hints. The host page and the resources it may use are not related from a caching perspective.
In fact you may even want to have a shorter cache period for *.html and a longer cache period for *.jpg or *.png? Something to consider.
Third Question
As a best prcatice , I should set one year into the future as the
maximum expiration time.I should use that as the default for all
static content on the site
Hmm... I might not go as far as one year. How about one month? I would set a global policy like this:
<configuration>
<system.webServer>
<staticContent>
<!-- Set expire headers to 30 days for static content-->
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="30.00:00:00" />
</staticContent>
</system.webServer>
</configuration>
This is the same as the sample you showed above, but is not inside a <location> element, instead it is right in the root <configuration> element so it is the default policy. Again this is for an App Pool running in Integrated Mode. Sometimes you also need to turn on:
<configuration>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<!-- stuff -->
</modules>
</system.webServer>
<system.webServer>
This just makes sure that static files are processed through the managed static file handler which respects the above configuration elements.
Edit to Address Comments
The documentation for the configuration dialog you posted above is located here: Configure the HTTP Expires Response Header (IIS 7)
Apparently these settings are saved in C:\Windows\System32\inetsrv\config\applicationHost.config
I do not have IIS7 and personally develop on IIS 7.5 now. So please post a comment if you can verify this location is accurate!
The static content is the one that IIS is read and send to the browser with out any processing. There you can setup IIS to include some Cache-Control Header to cache it on clients browser computers.
You can do that ether by direct setup IIS, ether by commands on web.config as you say. The commands that you add on web.config and concern the IIS, did not have to do with asp.net it self, but the IIS, and IIS saves his configuration on a different file, so when you change that cache control headers direct on IIS you do not see them on web.config.
Now for the static content like images, CSS, JavaScript, and other similar files they say that you can follow the "never expire" policy by adding 10 years expire.
The issue here is that if you can not change the content of the static file, if for example you cache a javascript file with 10 years, and you make a small change on it, then you need ether to change the file name, ether to add some parameter at the end of it.
Now the <%# OutputCache on a control is referred to the server cache and not to the client, and what is actually do is to cache the render of the control on the server so the next time you ask it to not lose time to renders it again but read it from cache - is still send it to the browser.
And you can also read this answer for some more: What are difference between IIS (Dynamic and Static) cache,OutPutCache and browser cache
Because we protect .PDF files from anonymous users, we have a custom handler so we have an entry
We also made a change to the http headers to add "cache-control: no-cache,no-store" via IIS 7 management which creates web.config entries under system.webserver element as follows:
<httpProtocol>
<customHeaders>
<clear />
<add name="cache-control" value="no-cache,no-store" />
</customHeaders>
</httpProtocol>
When I review the Response headers in a burpsuite session, I see for .aspx pages: cache-control: no-store,no-cache,no-store
But for PDF pages:
Cache-Control: private,no-cache,no-store
My goal would be to get everything to just "no-cache, no-store". I am not sure what I am missing. There are no other cache settings in the web.config. Please advise on how to remove "private" from PDF pages and extra no-store from all else. Other static pages that go through the System.Web.StaticFileHandler, and they also have the "no-store,no-cache,no-store".
Although this post is now a few years old, I thought I would share my solution that may save someone hours of head-scratching.
I have an MVC 4 site setup using IIS, and my aim was to have IIS add headers to certain files (defined by location), by using the <customHeaders> section. The 'cache-control' values I had in the <customHeaders> section were being appended to the end of 'cache-control: private', magically being added by IIS.
This was because of the runAllManagedModulesForAllRequests setting in my web.config being set to true
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
</modules>
</system.webServer>
This setting was causing one of the IIS Modules (I don't know which) to append the 'cache-control' header to every file being requested from IIS.
So the solution is to set this to false, and manage each of your modules seperatley using the preCondition attribute on each.
The runAllManagedModulesForAllRequests setting was required by earlier versions of MVC because extensionless routing would not work without it. This has since been fixed, more details here
http://blogs.msdn.com/b/tmarq/archive/2010/04/01/asp-net-4-0-enables-routing-of-extensionless-urls-without-impacting-static-requests.aspx
Useful reading on the use of runAllManagedModulesForAllRequests
http://weblog.west-wind.com/posts/2012/Oct/25/Caveats-with-the-runAllManagedModulesForAllRequests-in-IIS-78
I can't tell you why IIS 7 is adding "private" to the cache control, but I can show you how I'm getting rid of it in my own ASHX-based pass-through proxy (see 1st comment below Original Post).
public class proxy : IHttpHandler
{
public void ProcessRequest(HttpContext context)
{
HttpResponse response = context.Response;
// Remove the 'private' string value from the response.CacheControl member
if (response.CacheControl == "private")
{
response.CacheControl = String.Empty;
}
// Do other stuff
}
}
This won't work if you're using the built-in Cassini web development server in Visual Studio. To mess with headers, you need to switch to a full-blown IIS Web Server in your development environment.