iframex-frame-optionsxfs

How to override the value of X-Frame-Options HTTP Header at page level


I have a .Net Web application in which I've used some iframes and framesets. To protect my site from Cross-Frame Scripting attack I'm planning to add a HTTP Response Header "X-Frame-Options" with a value of "SAMEORIGIN" in my IIS or my Global.asax. This is the article I'm referring:

http://blogs.microsoft.com/cybertrust/2009/02/05/clickjacking-defense-in-ie8/

But, there could be a scenario where I actually want to show a web page from a different domain on a specific page inside an iframe. So, is it possible to override the setting of the "X-Frame-Options" header "just for that page" to "ALLOW-FROM" and specify the sites I want to allow? If yes then how do I do that? If I override my settings for this page will that also change my global setting value?


Solution

  • Your best bet may be to set the headers on each page. You could have a master page, from which all other pages inherit, and the individual page could then override a header property that the master page has.