Internet Explorer X-Frame-Options ALLOW-FROM not working in IE 11 and Edge
I am having an issue using X-Frame-Options to embed one site as an iFrame into another (different domains) with IE 11 and Edge. My research and experience indicate that IE doesn't yet support CSP Level 2 frame-ancestors, so I must use X-Frame-Options.
I have added the response header
X-Frame-Options: ALLOW-FROM https://<mysite>.com
to the site that needs to be embedded.
These are secured sites so I am unable to provide real URLs to this community.
When I launch the main site, which contains an iFrame with content from the second site, I am able to see the X-Frame-Options header in the response for the iframe content and it looks to be applied correctly. However, IE indicates "...modified this page to help prevent cross-site scripting" and my frame contains only the # symbol.
Due to timing and internal IT delays, I am unable to have both sites hosted in the same domain.
Can anyone help to explain what I did wrong in implementing X-Frame-Options or if there is another option to achieve the desired effect?
Answer
IE 11 not following standard, which means can not use "*", so have to give domain name with http/https.
def cors_set_access_control_headers
headers["Access-Control-Allow-Origin"] = "*"
headers["Access-Control-Allow-Methods"] = "GET"
headers["Access-Control-Request-Method"] = "*"
headers["Access-Control-Allow-Headers"] = "Origin, X-Requested-With, Content-Type, Accept, Authorization"
headers["X-Frame-Options"] = "ALLOW-FROM http://172.16.1.159"
headers["X-XSS-Protection"] = "0"
end