X-Frame-Options Allow-From multiple domains

user1340663 picture user1340663 · Apr 18, 2012 · Viewed 171.4k times · Source

I have an ASP.NET 4.0 IIS7.5 site which I need secured using the X-Frame-Options header.

I also need to enable my site pages to be iframed from my same domain as well as from my facebook app.

Currently I have my site configured with a site headed of:

Response.Headers.Add("X-Frame-Options", "ALLOW-FROM SAMEDOMAIN, www.facebook.com/MyFBSite")

When I viewed my Facebook page with Chrome or Firefox my sites pages (being iframed with my facebook page) are display ok, but under IE9, I get the error:

"this page cannot be displayed…" (because of the X-Frame_Options restriction).

How do I set the X-Frame-Options: ALLOW-FROM to support more than a single domain?

X-FRAME-OPTION being a new feature seems fundamentally flawed if only a single domain can be defined.

Answer

Kobi picture Kobi · Sep 2, 2014

X-Frame-Options is deprecated. From MDN:

This feature has been removed from the Web standards. Though some browsers may still support it, it is in the process of being dropped. Do not use it in old or new projects. Pages or Web apps using it may break at any time.