Assuming you have two websites: one is www.domainA.com, and the other is www.domainB.com. You wish to embed www.domainB.com as an iframe element on a page of www.domainA.com. However, you may encounter an error message stating, "Refused to display 'https://www.domainB.com/' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN' or 'DENY'."
One way to address this is to remove the "X-Frame-Options" response header from the site www.domainB.com, if possible.
Syntax
Content-Security-Policy: frame-ancestors <source>;
Content-Security-Policy: frame-ancestors <space separated list of sources>;
Here is an example of setting the Content Security Policy (CSP) in the web.config file to allow embedding from specific domains:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="frame-ancestors 'self' https://www.domainA.com/" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
Article ID: 2269, Created: September 21, 2023 at 4:16 AM, Modified: September 21, 2023 at 4:20 AM