Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

enable cors on iis - load denied by x-frame-options: does not permit cross-origin framing

There are several questions about that but I couldn't get the right answer yet. I give a short summary:

Company A has a website with an iframe in it. Company B gives the URL for that iframe. The user uses an application from Company B and with the settings the user chooses it sets up an URL which is delivered to the iframe from Company A.

However, the framing is not working yet because of x-frame-options. The error message is the following:

Load denied by X-Frame-Options: http://www.myurl.com:8088/myPath?panel=panel&user=username does not permit cross-origin framing.

I added

<httpProtocol>
    <customHeaders>
        <add name="Access-Control-Allow-Origin" value="*" />
    </customHeaders>
</httpProtocol>
to my web.config and also tried to add
<handlers>  
    <remove name="OPTIONS"/>
</handlers>
without any success.
I got that suggestions from this and this website to add CORS support on my IIS. As I mentioned above, without any success. I'm not that good in web development or IIS so maybe this question sounds stupid to you: Does Company A has to enable CORS or does Company B? Or both? And how? The suggestions I got from google didn't help yet.
Suggestions appreciated.
That error message isn’t related to the Access-Control-Allow-Origin header nor to OPTIONS handling, so it’s expected that the changes described in the question wouldn’t have any effect.
The cause instead is, the http://www.myurl.com:8088 server’s sending an X-Frame-Options response header in responses for requests to /myPath. So if you don’t want the server to do that, you need to figure out what part of the server code is causing that X-Frame-Options response header to be added, and remove that code.
                If I understand it right, company B has to do that, right? Are there some ways to easily figure it out?
– Therk
                Jul 26, 2017 at 8:54
                Whoever controls the server running at http://www.myurl.com:8088 needs to remove whatever is adding that X-Frame-Options response header in order for any code running at another origin to be able to frame that content. If you don’t control the server running at http://www.myurl.com:8088 then there’s nothing you do can that’ll allow your site to frame that content. The entire purpose of X-Frame-Options is to block third-party sites from framing content when the content owners don’t want to them to. If there were some way for third-party sites to bypass it, that’d defeat the purpose
– sideshowbarker
                Jul 26, 2017 at 9:00
                Okay, then I'll look for that X-Frame-Options part and remove it. Hope I'll find it. Is there a "typical place" for it? Or can it be anywhere?
– Therk
                Jul 26, 2017 at 9:10
                One likely place is your IIS Web.config file. That’s probably the best place to look first.
– sideshowbarker
                Jul 26, 2017 at 9:14
x-frame-options has been replaced by Content-Security-Policy and you can use it as following:
<system.webServer>
<httpProtocol>
  <customHeaders>
    <add name="Content-Security-Policy" value="frame-ancestors 'self' example.com *.example.net ;" />
    <add name="X-Content-Security-Policy" value="frame-ancestors 'self' example.com *.example.net ;" />
  </customHeaders>
</httpProtocol>
        
Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.