X-Frame-Options ignored in Chrome / Firefox. IE works
-
28-09-2020 - |
Question
I have a simple PageViewer Webpart loading mysites. This displays in an iFrame within IE but doesn't display in Chrome or Firefox.
I have tried adding the following to my MasterPage:
<meta name="X-FRAME-OPTIONS" content="ALLOW-FROM" />
<!--SPM:<WebPartPages:AllowFraming runat="server" />-->
I have also tried adding the following in IIS (on both mysites and host site collection):
X-Frame-Options = SAMEORIGIN
X-Frame-Options = ALLOWALL
None of which work in Chrome or Firefox. I am getting this error in Chrome:
Multiple 'X-Frame-Options' headers with conflicting values ('SAMEORIGIN, ALLOWALL') encountered when loading 'htp://siteURL:2000'. Falling back to 'DENY'.
Shouldn't it work with SAMEORIGIN if the 2 site collections are on the same server / web application, just a different port? Where can I impact the original setting?
Solution
Turns out I had to enable this at the Master page level (of the source trying to load within the iFrame):
<WebPartPages:AllowFraming runat="server" ></WebPartPages:AllowFraming>
Hope this helps someone.