Allow others to iframe my site

Question

If others tries to iframe my site they get error "Refused to display in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN' ". Do they have to change something, or I, or both? I found there are options for X-Frame-Options :SAMEORIGIN,DENY,and allow only one site. Configuration :IIS8, ASP.NET MVC. Are there any global settings to allow others to iframe my site?

Answer 1

Since your website is the frame target, you would make all the changes to your website. As you will see below, this is quite simple.

Option 1 - Modify your web application's web.config file Remove the X-Frame-Options custom header

Before:

<system.webServer>
...
<httpProtocol>
  <customHeaders>
    <add name="X-Frame-Options" value="AllowAll" />
  </customHeaders>
 </httpProtocol>
...
</system.webServer>

After

<system.webServer>
...
<httpProtocol>
  <customHeaders/>
 </httpProtocol>
...
</system.webServer>

Option 2 - Log onto the web server and access IIS Manager

1. Open Internet Information Services (IIS) Manager.
2. In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
3. Double-click the HTTP Response Headers icon in the feature list in the middle.
4. Select X-Frame-Options from the list
5. In the Actions pane on the right side, click Remove.
6. Click OK to save your changes.

Answer 2

In your golbal.asax.cs set X-Frame-Options to AllowAll:

 protected void Application_PreSendRequestHeaders()
 {
    Response.Headers.Remove("X-Frame-Options");
    Response.AddHeader("X-Frame-Options", "AllowAll");
 }