Your site can have Content-Security-Policy
headers that prevent it from being iframed.
Thanks , I am gettin refused to connect error.
I can see that the response header X-Frame-Options set as same origin. but how can I change the header to Content-Security-Policy in Episerver and does it have any risk?
Take a look at this page for an explanation and an example of configuration at the very bottom:
https://content-security-policy.com/
I do not think this is added by default, so I suspect you will find it if you search your code solution for "Content-Security-Policy".
If you want to change the CSP-header for specific pages, you could create an IHttpModule
and add the header in OnPreSendRequestHeaders
.
Vahid, see X-Frame-Options: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options#Configuring_IIS
In your web[.]config (or transformation file) see if you have something like this under system.webServer section:
<httpProtocol>
<customHeaders>
<!-- security audits like this -->
<remove name="X-Powered-By" />
<!-- add headers to improve security -->
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
BUT for that your options are limited to: DENY or SAMEORIGIN.
So you should remove that setting if you have it and then use CSP to limit who/what can load the page to an iframe.
Hi
I am trying to have a episerver page that contains an Epi form in a different website with different domain
Is there any way to use an Episerve Page in Ifram inside another website that has Wordpress for example?
I've tried it in an simple html file and a word press page both are getting refused to connect. however this issue it is not happeninng on the website home page but for any other subpage like contact us for example that error occured.