Inline frame tag in HTML: The iframe tag is used to displaying or embedding another document within an HTML document. One of its attributes ‘src’ is used to specify the URL of the document which is to be displayed. A site’s X-frame Options can prevent allowing the display of one HTML document within another.
X-Frame Options: The X-Frame Options are not an attribute of the iframe or frame or any other HTML tags. It is a response header and is also referred to as HTTP security headers. This header tells the browser whether to render the HTML document in the specified URL or not. This plays an important role to prevent clickjacking attacks. Thus the X-Frame options cannot be set in the body of an HTML document. It is set by the domain from which the resource is requested. The X-Frame options available are:
- deny: It prevents any URL being rendered within the containers like iframe, frame, objects, applets. Even if the page is from same site, when the X-Frame option is set to ‘deny’, it is not rendered.
- SAMEORIGIN: It allows pages of same origin to be rendered. The page from the same site will be allowed to be displayed.
- ALLOW-FROM uri: It allows the HTML documents from the specified uri only.
One can set the X-Frame Options in the web-config of the site which is to be loaded in an iframe.
For configuring in IIS write:
For configuring Apache:
Header always set X-Frame-Options "sameorigin"
Note: The browsers Edge (version 12 and above), Internet Explorer (version 8 and above) support ALLOW-FROM uri in X-Frame-Options.