Welcome Guest Search | Active Topics | Sign In | Register

Cannot override/ignore X-Frame-Options SAMEORIGIN Options
Ron DeFulio
Posted: Monday, October 23, 2017 1:31:07 PM
Rank: Newbie
Groups: Member

Joined: 2/18/2015
Posts: 4
Hello,

I have a project where we are trying to load a thirdparty site into an IFRAME inside EO WebBrowser. We are trying to override/ignore the X-Frame-Options SAMEORIGIN security setting but the browser control does not seem to respect the fact we have EnableWebSecurity=False and EnableXSSAuditor=False set in the code.

We are using this code to set up the browser --

Dim bo As New BrowserOptions
bo.EnableWebSecurity = False
bo.EnableXSSAuditor = False
EO.WebEngine.Engine.Default.Options.SetDefaultBrowserOptions(bo)

Dim wv As New WebView
wv.SetOptions(bo)

WebControl1.WebView = wv

When we attempt to load the site into the IFRAME we get the following "Refused to display" error



Is this a bug in webview or is there another option I need to toggle to allow the IFRAME to display?

Thanks

Ron
eo_support
Posted: Tuesday, October 24, 2017 2:42:51 PM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,217
Hi,

There is no way for you to bypass x-frame-options. x-frame-options and EnableWebSecurity are two similar but different options. Setting EnableWebSecurity turns off the default cross site security check, but it does not turn off x-frame-options, which is an additional option specifically for iframe. You can also think that EnableWebSecurity changes the default behaviors, where as x-frame-options overrides the default behaviors. They are are in two completely different code path, so one does not affect the other.

Thanks!
Michael Koenig
Posted: Thursday, September 6, 2018 7:03:53 AM
Rank: Newbie
Groups: Member

Joined: 6/28/2018
Posts: 2
Hello,

we're are using EO.Total 18.2.53.0. Is there any way in that version to bypass x-frame-options/sameorigin?
eo_support
Posted: Thursday, September 6, 2018 11:55:22 AM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,217
Michael Koenig wrote:
Hello,

we're are using EO.Total 18.2.53.0. Is there any way in that version to bypass x-frame-options/sameorigin?


No. I do not believe anything has changed regarding this since our last reply.
leneborma
Posted: Friday, August 27, 2021 3:06:24 AM
Rank: Newbie
Groups: Member

Joined: 8/27/2021
Posts: 1
X-Frame-Options is a header included in the response to the request to state if the domain requested will allow itself to be displayed within a frame. It has nothing to do with javascript or HTML, and cannot be changed by the originator of the request. You can't set X-Frame-Options on the iframe. That is a response header set by the domain from which you are requesting the resource . They have set the header to SAMEORIGIN in this case, which means that they have disallowed loading of the resource in an iframe outside of their domain. So you cannot embed their website into yours. Browsers when see that the response header contains X-Frame-Options: SAMEORIGIN, they check your domain and block the rendering of the <iframe>. It is a security measure to avoid clickjacking.



You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.