As the title states, I'm having issues with displaying my page in an iframe using x-frame-options: sameorigin
Looking at possible solutions, I came across x-frame-options: allow-from url, which made no difference. All of my resources are also served via https.
When using both x-frame-options: sameorigin and X-Frame-Options: allow-from url, the sameorigin header is disabled.
Also, documentation on x-frame-options found here:
# ALLOW-FROM uri
This is an obsolete directive that no longer works in modern browsers. Don't use it. In
supporting legacy browsers, a page can be displayed in a frame only on the specified origin
uri. Note that in the legacy Firefox implementation this still suffered from the same problem
as SAMEORIGIN did — it doesn't check the frame ancestors to see if they are in the same origin.
The Content-Security-Policy HTTP header has a frame-ancestors directive which you can use
instead.
I currently have the abovementioned frame-ancestors implemeted for other browsers' support, eg. Chrome, Safari, or Firefox, which is however unsupported by IE11. This is a security layer that I don't want to remove to avoid clickjacking.
Any advice?
As explained in the question, I found that when appending another
x-frame-optionsheader, thesameoriginwas disabled.So I modified the header slightly and found the following to work perfectly for IE11 and did not affect the other browsers: