Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Dincer M. 35 posts 97 karma points
    Sep 21, 2017 @ 04:49
    Dincer M.
    0

    Load denied by X-Frame-Options: <URL> does not permit framing.

    Hi,

    We recently switched our Umbraco site to HTTPS, and now we cannot create anything in the back office, as we receive this error in the console:

    Load denied by X-Frame-Options:

    When I change the value of "umbracoUseSSL" key from false to true in web.config, I cannot login the back office due to too many redirection error.

    Is there any other way to solve this problem?

    Regards.

  • Sebastiaan Janssen 5053 posts 15507 karma points MVP admin hq
    Sep 21, 2017 @ 05:57
    Sebastiaan Janssen
    100

    I have a lot of tips about https in my blog post here: https://cultiv.nl/blog/so-you-want-to-secure-your-umbraco-site/

    For the first error you need to allow some iframes for certain locations (umbraco path).

    The redirects problem doesn't ring a bell directly but maybe the blog post will help you find the magical balance.

  • Dincer M. 35 posts 97 karma points
    Sep 21, 2017 @ 06:08
    Dincer M.
    0

    Hi Sebastiaan,

    Actually your article was the first thing I checked via Google search and made the 'umbracoUseSSL' change accordingly.

    For the first error you need to allow some iframes for certain locations (Umbraco path).

    I will read further about this suggestion now.

  • Dincer M. 35 posts 97 karma points
    Sep 21, 2017 @ 07:38
    Dincer M.
    1

    For the first error you need to allow some iframes for certain locations (Umbraco path).

    This was the solution for my problem.

    So, I changed the value of "umbracoUseSSL" key back to false, and added the following section to my web.config:

         <location path="umbraco">
      <system.webServer>
       <urlCompression doStaticCompression="false" doDynamicCompression="false" dynamicCompressionBeforeCache="false" />
       <httpProtocol>
        <customHeaders>
         <remove name="X-Frame-Options" />
         <add name="X-Frame-Options" value="SAMEORIGIN" />
         <remove name="Content-Security-Policy" />
         <add name="Content-Security-Policy" value="default-src 'self' www.gravatar.com player.vimeo.com *.vimeocdn.com packages.umbraco.org our.umbraco.org;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: www.gravatar.com umbraco.tv;font-src 'self';" />
        </customHeaders>
       </httpProtocol> 
      </system.webServer>
     </location>
    

    Problem solved! Thank you very much Sebastiaan..

Please Sign in or register to post replies

Write your reply to:

Draft