Security feature: support turning on/off X-Frame-Options HTTP response header via a system setting

Products

Security feature: support turning on/off X-Frame-Options HTTP response header via a system setting

May 20, 2024

Introduction

The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in a <frame>, <iframe> or <object>. Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites.

Implementation

  1.  System Setup and REST API have a new setting to support turning on/off X-Frame-Options HTTP response header: AllowedXFrameOptionsDomains. In Identify*Admin, value for this setting is separated by comma (Example: https://alloweddomain1,https://alloweddomain2...) and in REST API, the value is a JSON string array ([“https://alloweddomain1", “https://alloweddomain2"]).
  2. Edit My Profile page in Safewhere Admin will issue correct response header follows new setting.
    In OpenID Connect website sample or any website that embeds Edit My Profile page of Safewhere Admin in an iframe, the rendering policy in browser will follow AllowedXFrameOptionsDomains setting in System setup. If the Url of Referer in http request header compliance with setting in System setup, an http response header X-Frame-Options: ALLOW-FROM https://domain1 will be returned to browser.
  3. If you want to set the header to a static value for all domains, you can do that at IIS level by using PowerShell commands.
    1. Adding header for all sites:
      Add-WebConfigurationProperty -PSPath MACHINE/WEBROOT/APPHOST -Name . -Filter system.webServer/httpProtocol/customHeaders -AtElement @{name = "X-Frame-Options" ; value='sameorigin'}
    2. Adding header for "Identify master" site:
      Add-WebConfigurationProperty -PSPath "MACHINE/WEBROOT/APPHOST/Identify master" -Name . -Filter system.webServer/httpProtocol/customHeaders -AtElement @{name = "X-Frame-Options" ; value='sameorigin'}
    3. For removing, just use Remove-WebConfigurationProperty instead of Add-WebConfigurationProperty with the same parameters.

Known issues

  1. When turning on default value X-Frame-Options: sameorigin for Safewhere Admin site, the Edit My Profile will not be rendered in an iframe because authentication mechanism will stop the Identify Admin redirection page.
  2. In IE11 we may face the issue at the first time open Edit My Profile in an iframe. IE shows “This content cannot be displayed in a frame” at first time only. If we close the iframe and try again, it works fine. If we clear all caching, history, cookie of IE, the first-time issue appears again.

Reference

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
https://en.wikipedia.org/wiki/Clickjacking
https://community.powerbi.com/t5/Report-Server/IE-and-Edge-Report-error-This-content-cannot-be-displayed-in-a/td-p/318281