Facebook X-Frame-Options & IIS 6

Question

I need to open an URL, from an anchor situated on a page created for Facebook at the top-most level. Doing some research, I found that the new X-Frame-Options restrictions are blocking this action and that a possible fix for this is to allow access at the requester level, ie. my application.

The application is being hosted through IIS 6 so I could easily add the required custom header X-Frame-Options ALLOW-FROM http://www.mywebsite.com/, however, I still get the refusal message when trying to click on a link in my page.

I cannot upgrade to a newer version of IIS as marketing material already went out. Is there another way to fix this, or am I adding the X-Frame-Options at the wrong location?

Also, I have target="_top" in both my anchors.

Answer 1

I need to open an URL, from an anchor situated on a page created for Facebook at the top-most level. Doing some research, I found that the new X-Frame-Options restrictions are blocking this action

No, it's the other way around - what the X-Frame-Options header does, is restrict a document from being displayed in any kind of frame environment.

and that a possible fix for this is to allow access at the requester level, ie. my application.

No. The responder, that is, the web server delivering the resource, has to set that header to control where the document can be displayed or not.

Answer 2

From my experience, please consider the following scenario: Domain A: Your domain Domain B: Facebook

Your HTTP Response Header rule in IIS (assuming you're using IIS) would be: Name: X-Frame-Options Value: ALLOW-FROM http://www.facebook.com

This will allow facebook to host an iFrame with your content inside of it. The parent of the iFrame is facebook.com which is why you must use this approach. You would set the value to SAMEORIGIN if the host header you were supplying in the ALLOW-FROM value was the same as the hosting domain.