Exploring "X-Frame- Options" in IFrame for web-based application

In our daily life as a web developer we generally use lots of HTML tags in our website. From H1 tag to FORM tag, each tag has their own functionality and has some limitations. In this blog we specifically focus on IFRAME tag and its Do’s and Don’ts. To know about How to implement an IFRAME tag in your website you can do google search and there are lots of documents are available for that.
There are several advantages and disadvantages of IFRAME. We are going to see some of that which is important. We will also learn about what the “X-Frame-Options” is and how to handle that.


IFRAME enable you to load external website or HTML page within your webpage. Most of the website and pages can run inside of the IFRAME. It has properties which enable you to customize its content like frameborder, scrolling etc. Earlier we can load any type of website in IFRAME but as popularity of IFRAME is increased new vulnerabilities like Cross Site Request Forgery (CSRF) also known as ClickJacking and Cross-Site-Scripting(Xss) and Cross-Site-Scripting(Xss) are came in picture.

Do’s: Always try to load same domain page in IFrame. Loading difference domain or sub-domain may not load all functionality or may harm your site.
Don’ts: Never try to execute javascript code which tries to access elements outside of the iframe. It known as XSS script attack and most of new version of browser block this type of execution.

To prevent these types of vulnerabilities new browser introduces security patches. One of them is “X-Frame-Options”. When browser loads website in an IFRAME first it checks for site domain that this option is available in header or not. If this option not found in header then it allow IFRAME to load given site. If browser found this value then it checks for its value. Generally header values are in key –value pair. There are two values found in “X-Frame-Options”. First is “DENY” and second is “SAMEORIGIN”. Figure 1 display the value.

“DENY” means this website is not allowed to load in IFRAME. If you don’t want anyone to load your site in any IFRAME then you can set values in header (X-Frame-Options:DENY) . See screen shots of IE-9 (Figure 2) and Chrome (Figure 3) security which block this type of loading.

“SAMEORIGIN” means the website content is allowed for same domain.
If such cases if you want to load any website in IFRAME then first you need to check header for that site. The code for checking header value of any site is given below.
C# function that retrieve specific header value

private string webFetch(string link, string parameter)
string responseFromServer = “”;
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(link);
request.Method = “POST”;
byte[] byteArray = System.Text.Encoding.UTF8.GetBytes(parameter);
request.ContentType = “application/x-www-form-urlencoded”;
request.ContentLength = byteArray.Length;
Stream dataStream = request.GetRequestStream();
dataStream.Write(byteArray, 0, byteArray.Length);
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
if (HttpStatusCode.OK == response.StatusCode)
dataStream = response.GetResponseStream();
StreamReader reader = new StreamReader(dataStream);
responseFromServer = reader.ReadToEnd();
return responseFromServer;

php function that retrieve specific header value

function getResponseHeader($url)
return get_headers($url);
$url = ‘http://www.google.com/’;
$res_arr = getResponseHeader($url);

(Note: Framing third-party information into another web page raises issues of copyright so please make sure that you are not in website copyright criteria)

By, Dharmendra Mistry