How Can I Bypass the X-Frame-Options: SAMEORIGIN HTTP Header?

Asked 6/5, 2010 at 17:26 Answered 16/8, 2016 at 8:31

Solved asp.net sharepoint http x-frame-options

I am developing a web page that needs to display, in an iframe, a report served by another company's SharePoint server. They are fine with this.

The page we're trying to render in the iframe is giving us X-Frame-Options: SAMEORIGIN which causes the browser (at least IE8) to refuse to render the content in a frame.

First, is this something they can control or is it something SharePoint just does by default? If I ask them to turn this off, could they even do it?

Second, can I do something to tell the browser to ignore this http header and just render the frame?

Eliseelisee answered 6/5, 2010 at 17:26 Comment(0)

If the 2nd company is happy for you to access their content in an IFrame then they need to take the restriction off - they can do this fairly easily in the IIS config.

There's nothing you can do to circumvent it and anything that does work should get patched quickly in a security hotfix. You can't tell the browser to just render the frame if the source content header says not allowed in frames. That would make it easier for session hijacking.

If the content is GET only you don't post data back then you could get the page server side and proxy the content without the header, but then any post back should get invalidated.

Commissary answered 15/6, 2010 at 12:32 Comment(4)

displaying in an iframe is not allowed, but is there a way to still get the html as a raw String? – Nombril 21/10, 2016 at 12:34

You should be able to scrape it and do whatever you want with the markup. – Ares 6/1, 2018 at 18:33

@Ares that's what I meant by proxy the content :-) – Commissary 6/1, 2018 at 18:46

I would rephrase probably ;-) – Ares 6/1, 2018 at 20:2

UPDATE: 2019-12-30

It seem that this tool is no longer working! [Request for update!]

UPDATE 2019-01-06: You can bypass X-Frame-Options in an <iframe> using my X-Frame-Bypass Web Component. It extends the IFrame element by using multiple CORS proxies and it was tested in the latest Firefox and Chrome.

You can use it as follows:

(Optional) Include the Custom Elements with Built-in Extends polyfill for Safari:
```
<script src="https://unpkg.com/@ungap/custom-elements-builtin"></script>
```

Include the X-Frame-Bypass JS module:

<script type="module" src="x-frame-bypass.js"></script>

Insert the X-Frame-Bypass Custom Element:

<iframe is="x-frame-bypass" src="https://example.org/"></iframe>

Gelt answered 30/8, 2014 at 23:3 Comment(24)

This approach looks to be blocked now. – Hapless 8/3, 2016 at 16:52

"Refused to display 'https://news.ycombinator.com/' in a frame because it set 'X-Frame-Options' to 'DENY'." Followed by "

fiddle.jshell.net/:64 Uncaught SecurityError: Sandbox access violation: Blocked a frame at "http://fiddle.jshell.net" from accessing a frame at "null".  The frame being accessed is sandboxed and lacks the "allow-same-origin" flag.

" – Aksel 14/6, 2016 at 16:4

@Aksel Refresh the page. It works for me in Firefox 46. – Gelt 15/6, 2016 at 14:53

@Gelt Results are now... inconclusive. Linked version still doesn't load - however, it does load in the jsFiddle editor, and then reloading the embedded view (as linked) displays - but it's pulling from cache. Clearing caching and reloading again fails. I wondered if the contents were being served via a proxy on jsFiddle's server, but the dev tools show network traffic directly to the target site. Even though the console still shows the "refused to display" error. Must do more digging... – Aksel 15/6, 2016 at 18:47

Yes this is not working. Anyone has identified any way to handle this? – Barrio 12/7, 2018 at 11:59

@Barrio & BlueBird: I have updated the demo, it is working for me in Chrome 67. – Gelt 12/7, 2018 at 15:21

@Barrio Tried refreshing the page? What's the error in web console? – Gelt 13/7, 2018 at 14:37

@Gelt - this is working amazingly well. Thanks for the solution. – Barrio 13/7, 2018 at 14:48

How come this is not fixed in all major browsers yet? For me, it works with Firefox 61 against both X-Frame-Options: sameorigin and X-Frame-Options: deny. – Decrease 21/8, 2018 at 22:11

@Decrease it is in Chrome 70 where I get an Uncaught DOMException: Blocked a frame with origin "https://example.org" from accessing a cross-origin frame. – Jordain 2/11, 2018 at 18:44

@JeroenWiertPluimers Have you refreshed the page? – Gelt 21/11, 2018 at 18:11

@Gelt odd: sometimes it works. Sometimes it fails. Not sure why yet. If I find out, I will post here. – Jordain 22/11, 2018 at 17:22

@JeroenWiertPluimers Try my new X-Frame-Bypass custom element! – Gelt 7/1, 2019 at 16:1

x-frame component was great but it wasn't accessible throught google chrome extension.... sigh...! any other clues? – Herringbone 16/9, 2019 at 8:2

This doesn't bypass X-Frame-Options options at all, it just uses a proxy to scrape the target page and return the content without the header. It will only work for GET requests, won't get cookies, can only scrape pages the third party proxies (one ofcors.io, jsonp.afeld.me, cors-anywhere.herokuapp.com) can access (and may leave a copy of the content on one of those sites). As the OP is asking about Sharepoint this connection is likely to be over a VPN and certain to require cookies, neither of which will work with the undocumented third party proxies. – Commissary 21/10, 2019 at 7:11

It seem that this tool is no longer working and no longer being maintained from all the issues at github. Even the example page in the README which try to load something from Hacker News, fails. – Gujral 30/12, 2019 at 18:0

anyone find any solution ? X-Frame-Bypass in this post does not work anymore – Antipope 16/6, 2020 at 5:30

The tool is working fine as of today, at least in Chrome, but I can't get it to work with VueJS. I've tried registering the component, embedding the JS with my Vue code, etc., but no luck. – Poulos 26/8, 2020 at 0:1

Is there a way to protect against this? Since X-Frame-Bypass is working? – Mistletoe 14/5, 2021 at 2:17

@Mistletoe Why would you protect from this functionality? The web should be open, free, not blocked. – Gelt 14/5, 2021 at 16:11

@NickDimou It works fine as of now: i.postimg.cc/CLHBFnZ7/X-Frame-Bypass-Web-Component-Demo.png – Gelt 14/5, 2021 at 16:14

@niutech, if this is the case, please update your answer with today's date. Thank you! – Anemone 14/5, 2021 at 20:5

@Gelt in order to protect my website from clickjacking. – Mistletoe 15/5, 2021 at 18:9

most sites use dynamic javascript to check robots or proxies—that is why these don't work with high-end websites. – Evers 19/8, 2022 at 16:54

The X-Frame-Options header is a security feature enforced at the browser level.

If you have control over your user base (IT dept for corp app), you could try something like a greasemonkey script (if you can a) deploy greasemonkey across everyone and b) deploy your script in a shared way)...

Alternatively, you can proxy their result. Create an endpoint on your server, and have that endpoint open a connection to the target endpoint, and simply funnel traffic backwards.

Huoh answered 18/5, 2012 at 18:18 Comment(0)

Yes Fiddler is an option for me:

Open Fiddler menu > Rules > Customize Rules (this effectively edits CustomRules.js).
Find the function OnBeforeResponse

Add the following lines:

oSession.oResponse.headers.Remove("X-Frame-Options");
oSession.oResponse.headers.Add("Access-Control-Allow-Origin", "*");

Remember to save the script!

Scarificator answered 16/8, 2016 at 8:31 Comment(0)

As for second question - you can use Fiddler filters to set response X-Frame-Options header manually to something like ALLOW-FROM *. But, of course, this trick will work only for you - other users still won't be able to see iframe content(if they not do the same).

Latonia answered 4/4, 2014 at 8:43 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags