Is there any way to bypass the x-frame-options header without using a MitM or changing the packets in another way?
So actually getting a site that has x-frame-options: DENY to be shown in an iframe.
Is there any way to bypass the x-frame-options header without using a MitM or changing the packets in another way?
So actually getting a site that has x-frame-options: DENY to be shown in an iframe.
There is one caveat when using X-Frame-Options
header: it only checks the top level frame. This means that if you have nested frames, i.e. frames within frames, it is still possible for another origin to include a site with a X-Frame-Options: SAMEORIGIN
header.
In this regard the header Content-Security-Policy: frame-ancestors 'self'
is better, because it checks all frame ancestors.
So actually getting a site that has x-frame-options: DENY to be shown in an iframe.
It's not possible to embed a site sending an X-Frame-Options: DENY
header in any frame.
From RFC 7034:
DENY A browser receiving content with this header field MUST NOT display this content in any frame.
However, it might in some instances be possible to bypass the SAMEORIGIN
directive as some browsers only check the top-level origin and not the direct frame parent:
SAMEORIGIN A browser receiving content with this header field MUST NOT display this content in any frame from a page of different origin than the content itself. [...] Please note that current implementations vary on the interpretation of this criteria. In some, it only allows a page to be framed if the origin of the top-level browsing context is identical to the origin of the content using the X-Frame-Options directive; in others, it may consider the origin of the framing page instead.
(Emphasis my own.)