Reputation: 53
Microsoft Edge browser unable to load web application in an IFrame. Getting this error - this content can't be shown in a frame
I'm getting the below error in Microsoft Edge. But, works fine in Chrome. Below are the details of implementation. The user's logged-in email is being captured on the page-load of the home page by User.Identity.Name
- Asp.Net Webforms application hosted in Azure.
- Enabled Azure AD Authentication.
- Loading this web application on the Intranet web page through IFRAME.
- The intranet is SSO enabled with OKTA.
Upvotes: 1
Views: 7821
Answers (2)
Reputation: 15561
You're running into what X-Frame-Options does.
The
X-Frame-OptionsHTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a<frame>,<iframe>,<embed>or<object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
Source: X-Frame-Options on MDN
If you own the page you're trying to run inside the IFrame, make sure to explicitly set the correct value for the X-Frame-Options header. If you don't: why display it in an IFrame?
If you're running into Chrome behaving differently than Edge, have a look at how the header is used and if Chrome supports it. For instance, ALLOW-FROM is not supported by Chrome.
More info: caniuse.com for x-frame-options.
The MDN document I linked to earlier about ALLOW-FROM:
ALLOW-FROM uri (obsolete)
This is an obsolete directive that no longer works in modern browsers. Don't use it. In supporting legacy browsers, a page can only be displayed in a frame on the specified origin uri.
EDIT:
As an addition to your statement
Looks like there is no other option other than removing Azure AD authentication
You should never display any login page in an iframe because of the cickjacking issues it introduces. This is not limited to Azure AD authentication, this is true for any and all authentication options.
Azure AD authentication also has a pop-up option. For instance: if you're using MSAL.js there's this:
You can sign in users to your application in MSAL.js in two ways:
- Pop-up window, by using the loginPopup method
- Redirect, by using the loginRedirect method
Source: Single-page application: Sign-in and Sign-out
Upvotes: 2
Reputation: 12946
You should try to check the X-Frame-Options header. The X-Frame-Options header can be used to control whether a page can be placed in an IFRAME.
Besides, please note that this token must be sent as a HTTP Header, and the directive will be ignored if found in a META HTTP-EQUIV tag. You could refer to this article for more information.
If you have control of the Server that sends the content of the iframe, you could refer to this article and this link about configuring the value.
More info: How to set 'X-Frame-Options' on iframe?
Upvotes: 0
Related Questions
- Microsoft Edge not opening my HTML Page
- MS Edge api error "browser is not defined"
- Sync issue with iframe in Chrome and Edge
- Microsoft Edge not displaying <iframe>
- Microsoft Edge shows Invalid HTML5 DOCTYPE
- How to allow a specific domain to load in iFrame in Edge browser
- How to fix iframes not working with Microsoft Edge?
- Why do I get "permission denied" in Microsoft Edge when accessing parent iframe
- MS Edge Iframe CSS
- Microsoft edge doesn't support embed tag?