Announcement Announcement Module
No announcement yet.
X-Frame-Options in redirecting? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • X-Frame-Options in redirecting?


    I am trying to stop any usage of my web app if it is embedded within a frame. But as I employ SS to protect the publicized URL, the first step of user accessing the URL would be they are redirected to the login page.

    I append the 'X-Frame-Options' to my redirect response in hope of that would stop the redirecting if called in a frame just to find out that it does not work. It will function as expected if it is not a redirect response. But there seems to me no way I can tell from server side if the request comes from a frame or not.

    Can I have some hint/helps on how to achieve the 'no redirecting if called from a frame'? Really appreciate it

  • #2
    The best success I've had ensuring that my web pages are not being served inside a frame is to use JavaScript on my login page.

    It's not as sexy as encapsulating the logic in your security layer, I know, but it's just a few lines of JavaScript that works 99% of the time and even with older browsers that don't support x-frame-options.

    if (top.location != location) {
        top.location.href = document.location.href;
        // or perform some ajax call to the server...
    Good luck!


    • #3
      thank you for the reply, Monger. But there is no page behind my URL. it is my SS filters that are taking care of the URL.
      If I had a page, I could have just set the response header directly