Refused to display 'https://xpto.pt/' in a frame because it set 'X-Frame-Options' to 'sameorigin''

Question

Hello,

Anyone with any solution? I have a component developed to preview pdf ́s files. It turns out that today is giving this message "Refused to display 'https://xpto.pt/' in a frame because it set 'X-Frame-Options' to 'sameorigin''"

I have checked in IIS and has no header with this configuration, nor in the component code...

Does anyone know the source of the problem and how to solve it? Thanks

Answer 1

Hi @Flórida da Graça Botelho Araújo,

According to your description, unfortunately I cannot reproduce your problem. I want to confirm if you use and develop it in SharePoint?

Based on this error message: Refused to display 'https://xpto.pt/' in a frame because it set 'X-Frame-Options' to 'sameorigin''. Please try to do some troubleshooting:

1. Please make sure you are using embedded=true while adding source in the iframe. For example:

<iframe class="xpto" src="https://xpto.pt/&embedded=true"></iframe>

2.If your application have web.config then add the following tag in web.config:

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="X-Frame-Options" value="ALLOW" />
        </customHeaders>
    </httpProtocol>
</system.webServer>

This will allow application to append iframe from other origin also. You can also use the following value for X-Frame-Option :

X-FRAME-OPTIONS: ALLOW-FROM https://example.com/ 

Similar issue for reference:

Refused to display ‘url’ in a frame because it set ‘X-Frame-Options’ to ‘SAMEORIGIN’

How to fix Refused to display in a frame because it set 'X-Frame-Options' to 'sameorigin

Hope it can help you. Thanks for your understanding.

Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

---

Answer 2

Captura de ecrã 2023-01-11 105521.pngHello

Thanks for the repsonse.

I have added in the web.config the setting.

However, now the error in the image below appears "Refused to display 'https:... in a frame because it set multiple 'X-Frame-Options' headers with conflicting values ('SAMEORIGIN, ALLOW'). Falling back to 'deny'."

I have checked in webpart and in IIS and there is no SAMEORIGIN setting...where could this setting be?

I also noticed that the behavior of the component differs by browser. In IE it says "This browser does not support inline PDFs. Please download the PDF to view it: Download PDF", in Edge it says "www.xpto.pr refused to connect".

Any suggestions?

Answer 3

I've done everything, but I'm still in trouble.

I also followed this post [http://sadomovalex.blogspot.com/2015/12/remove-x-frame-options-sameorigin-http.html

and returns the error of the attached image...

       Invalid 'X-Frame-Options' header encountered when loading 'https://www.xpto.pt/': '' is not a recognized directive. The header will be ignored.

1.png

Any suggestions? Thanks