Refused to display '[https-url]' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.



I am getting the following error (in EPiServer) in the console, when I am trying to browse https-pages on our website:

Refused to display 'https://[url]' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

Our website is running the latest version of Episerver and using https on only a subset of our pages, using the [RequireHttps] attribute.

I assume its caused by EPiServer trying to load a https page while EPiserver itself is not running under https, but I am just guessing.

Does anyone know how to solve this error?

Best regards


May 08, 2015 17:59

This seems to be caused by episerver edit mode loading content in frame, and the fact that the x-frame-options : sameorigin header is set by the mvc framework pr default

one solution could be to supress the xframeoptions header for all pages, edit mode or not

global.asax :

protected void Application_Start()
    AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

 Another solution could be to remove the x-frameoptions header  when pages are in editmode, using a filter on those controllers loading content via https

public class XframeFilter: ActionFilterAttribute
        public override void OnResultExecuted(ResultExecutedContext filterContext)
            if (PageEditing.PageIsInEditMode)
May 08, 2015 21:56
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.