3

I am trying to find the reason that a certain webpage is not getting iframed even when X-Frame-Options header is absent.
Observation:
When I write an HTML with iframe tag pointing to the URL and save this file locally and open it, I can find the page getting loaded in an inframe. But I when I try the same URL here, it is not getting loaded in iframe.
So what else can stop a page from getting iframed except setting X-Frame-Option header value as DENY/Same-Origin?

This is a company specific link so I am refraining myself from pasting the URL but I am writing down all the response header that are being set:

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Set-Cookie: ASP.NET_SessionId=value
X-OFIS: some value
Strict-Transport-Security: max-age=31536000
X-UA-Compatible: IE=edge
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self' *.xyz.com
X-Content-Security-Policy: default-src 'self' *.xyz.com
Access-Control-Allow-Origin: *
Date: Sat, 13 May 2017 17:38:04 GMT
Connection: close
Content-Length: 33335

one
  • 1,781
  • 3
  • 18
  • 45

1 Answers1

6

The HTTP header Content-Security-Policy can be used to protect from loading the page in an iframe.

In this case, its value is set to default-src 'self' *.xyz.com which means that only the current domain, and *.xyz.com can load this page in an iframe.

That HTTP header has other uses like protecting from XSS attacks. You can find more information on the OWASP guide.

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
  • Thank you for the answer. Now it seems only IE does not support CSP. I cant load the page in an iframe when I am using chrome and mozilla. But when I am using IE11, it is loaded in an iframe. – one May 13 '17 at 18:43
  • 1
    @one I guess it's because of IE lack of support for that HTTP header. You can check [the browser support on caniuse](https://caniuse.com/#feat=contentsecuritypolicy2) – Benoit Esnard May 13 '17 at 18:43