I have an ASP.NET 4.0 IIS7.5 site which I need secured using the X-Frame-Options header.
I also need to enable my site pages to be iframed from my same domain as well as from my facebook app.
Currently I have my site configured with a site headed of:
Response.Headers.Add("X-Frame-Options", "ALLOW-FROM SAMEDOMAIN, www.facebook.com/MyFBSite")
When I viewed my Facebook page with Chrome or Firefox my sites pages (being iframed with my facebook page) are display ok, but under IE9, I get the error:
"this page cannot be displayed…" (because of the
X-Frame_Options
restriction).
How do I set the X-Frame-Options: ALLOW-FROM
to support more than a single domain?
X-FRAME-OPTION
being a new feature seems fundamentally flawed if only a single domain can be defined.