X-Frame-Options and Orchard CMS

Just recently I ran into an issue while working on an Orchard CMS 1.8.1 website for a client. As part of the project some of the Orchard pages need to be loaded on an external website via an iframe. When the external page is loaded, the iframe fails to load the Orchard page and the following message is seen in Chrome:

Refused to display ‘{My Url}’ in a frame because it set ‘X-Frame-Options’ to ‘SAMEORIGIN’.

We have a couple of options on how to fix:

  1. Surpress the header – If you are building Orchard from source you can add the following to you Global.asax.cs.
    protected void Application_Start()
    {
    	AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
    }
    

    IMPORTANT: Use at your own risk as this should be avoided! X-Frame-Options is a very important part of preventing clickjacking.

  2. Rewrite the header – You can add the following to your web.config which will effectively rewrite X-Frame-Options to some other value:
    <system.webServer>  
    	<rewrite>
    		<outboundRules>
    			<rule name="RewriteXFrameOptions" patternSyntax="Wildcard" stopProcessing="false">
    				<match serverVariable="RESPONSE_X-Frame-Options" pattern="*" />
    				<action type="Rewrite" value="{Your New Value Here}" />
              	</rule>
    		</outboundRules>
    	</rewrite>
    </system.webServer>
    

    NOTE: IIS will need UrlRewrite installed.

Learn more about X-Frame-Options [developer.mozilla.org].

Leave a Reply

Your email address will not be published. Required fields are marked *