Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • David Amri 214 posts 740 karma points
    Sep 04, 2018 @ 05:55
    David Amri
    1

    Preview node denied X-Frame-Options

    Hi,

    I'm not able to preview any node in Umbraco because the X-Frame-Options is set to "deny". Now this is true for the frontend, but within the:

    <location path="umbraco">
    </location>
    

    I'm setting the X-Frame-Options to "SAMEORIGIN". Any ideas why the X-Frame-Options setting in Umbraco isn't working?

    /David

  • Alex Brown 129 posts 620 karma points
    Sep 04, 2018 @ 11:54
    Alex Brown
    0

    Have you removed the header first? My tag looks like the following:

      <location path="umbraco">
        <system.webServer>
          <urlCompression doStaticCompression="false" doDynamicCompression="false" dynamicCompressionBeforeCache="false" />
          <httpProtocol>
            <customHeaders>
              <remove name="X-Frame-Options" />
              <add name="X-Frame-Options" value="SAMEORIGIN" />
            </customHeaders>
          </httpProtocol>
        </system.webServer>
      </location>
    
  • David Amri 214 posts 740 karma points
    Sep 04, 2018 @ 12:46
    David Amri
    0

    Hi Alex,

    Yes, I do remove the header first. My header looks exactly like yours. :/

    / David

  • Vetrivel 21 posts 130 karma points
    Nov 12, 2020 @ 04:59
    Vetrivel
    0

    Hi David/Alex,

    Did you fix this issue, I too have the same problem, and I updated the config files too.

    thanks.

  • Tom Weston 4 posts 74 karma points
    Apr 27, 2021 @ 15:18
    Tom Weston
    0

    I'm also having this problem, after following Umbraco advice over X-Frame-Options, from their online security course

    They said to allow SAMEORIGIN for Umbraco location, to enable some of the functionality, but it appears to have broken the preview

    ... my workaround is to put the whole site X-Frame-Options to SAMEORIGIN, not as secure as DENY, but will still protect against clickjacking from another domain :)

Please Sign in or register to post replies

Write your reply to:

Draft