X-Frame-Options Set to Deny


X-Frame-Options:DENY is a header that forbids a page from being displayed in a frame. If your server is configured to send this heading, your sign-on screen will not be allowed to load within the embed codes provided by Credo, which use the iframe HTML element. Instead, when you try to use the embed code, such as on your LibGuides, the frame will display as an empty white box.

You can confirm this by using the developer tools in your web browser to look for error messages, which will tell you why elements on your page aren't loading. If your server is sending an X-Frame-Options:DENY header, you will see an error message that looks something like this:

Refused to display the URL because it set XFrame Options To Deny

DENY is one of three possible directives for X-Frame Options:

  • X-Frame-Options:DENY - Your sign-in screen is not allowed to be used in an embed code. Items must be hyperlinked.
  • X-Frame-Options:SAMEORIGIN - This means that the page can only be embedded in a frame on a page with the same origin as itself. 
  • X-Frame-Options:ALLOW-FROM - The page can only be displayed in a frame on the specified origin. This only works in browsers that support this header. You may wish to ask your IT department if they are able to add an exception for the page on which you're trying to embed.

This setting is a configuration on the institution's server, and is usually implemented for security reasons. Microsoft ADFS, which some institutions use for sign-on, has X-Frame-Options set to DENY by default.

If you are experiencing this issue, you may wish to consult with your IT department about the issue and see if they are able to add an ALLOW-FROM exception for the page on which you're trying to embed. There are also a few alternatives that you may wish to consider:

  • If you are using LibGuides, you can try providing a hyperlink to your sign-on screen and instruct students to sign in directly on the sign-on page, then return to the LibGuide to view the content.
  • You can also choose to use hyperlinks only, instead of embed codes, to link to the content.
  • If you are embedding content within your LMS, you may want to consider setting up referring URL access, which would allow users to access Credo's platform without using your proxy sign-on as an intermediary.

You can read Mozilla's information about X-Frame-Options for more detailed notes about this header.

1 out of 1 found this helpful