i having issue using x-frame-options embed 1 site iframe (different domains) ie 11 , edge. research , experience indicate ie doesn't yet support csp level 2 frame-ancestors, must use x-frame-options.
i have added response header x-frame-options: allow-from https://<mysite>.com site needs embedded.
these secured sites unable provide real urls community.
when launch main site, contains iframe content second site, able see x-frame-options header in response iframe content , looks applied correctly. however, ie indicates "...modified page prevent cross-site scripting" , frame contains # symbol.
due timing , internal delays, unable have both sites hosted in same domain.
can explain did wrong in implementing x-frame-options or if there option achieve desired effect?
it turns out issue wasn't related frames. framed content had same xss error/note when accessed directly vs through embedded iframe. timing of error showing threw me off since coincidental implementation of csp level 2 frame-ancestors.
i have opened case ms determine in content xss engine doesn't , have had disable xss in ie browsers x-xss-protection:0 response header.
Comments
Post a Comment