How Can I Bypass the X-Frame-Options: SAMEORIGIN HTTP Header?
Solution 1:
UPDATE: 2019-12-30
It seem that this tool is no longer working!
[Request for update!]
UPDATE 2019-01-06: You can bypass X-Frame-Options
in an <iframe>
using my X-Frame-Bypass Web Component. It extends the IFrame element by using multiple CORS proxies and it was tested in the latest Firefox and Chrome.
You can use it as follows:
-
(Optional) Include the Custom Elements with Built-in Extends polyfill for Safari:
<script src="https://unpkg.com/@ungap/custom-elements-builtin"></script>
-
Include the X-Frame-Bypass JS module:
<script type="module" src="x-frame-bypass.js"></script>
-
Insert the X-Frame-Bypass Custom Element:
<iframe is="x-frame-bypass" src="https://example.org/"></iframe>
Solution 2:
If the 2nd company is happy for you to access their content in an IFrame then they need to take the restriction off - they can do this fairly easily in the IIS config.
There's nothing you can do to circumvent it and anything that does work should get patched quickly in a security hotfix. You can't tell the browser to just render the frame if the source content header says not allowed in frames. That would make it easier for session hijacking.
If the content is GET only you don't post data back then you could get the page server side and proxy the content without the header, but then any post back should get invalidated.
Solution 3:
The X-Frame-Options header is a security feature enforced at the browser level.
If you have control over your user base (IT dept for corp app), you could try something like a greasemonkey script (if you can a) deploy greasemonkey across everyone and b) deploy your script in a shared way)...
Alternatively, you can proxy their result. Create an endpoint on your server, and have that endpoint open a connection to the target endpoint, and simply funnel traffic backwards.
Solution 4:
Yes Fiddler is an option for me:
- Open Fiddler menu > Rules > Customize Rules (this effectively edits
CustomRules.js
). - Find the function
OnBeforeResponse
-
Add the following lines:
oSession.oResponse.headers.Remove("X-Frame-Options"); oSession.oResponse.headers.Add("Access-Control-Allow-Origin", "*");
- Remember to save the script!
Solution 5:
As for second question - you can use Fiddler filters to set response X-Frame-Options
header manually to something like ALLOW-FROM *
. But, of course, this trick will work only for you - other users still won't be able to see iframe content(if they not do the same).