X-Frame-Options for REST

2388
3
01-30-2014 01:41 PM
KeithSandell1
New Contributor II
Server 1 - Cloud Web Server on domain x

Server 2 - Cloud AGS Server on domain y, running AGS 10.1 and Web Adaptor

REST works good.

A geoprocessing service creates a pdf report that can be accessed successfully via the jobs folder.

I want to be able to display the report in an iframe in a jQuery Dialog from the page hosted on domain x, but these pesky X-Frame-Options on domain y are killing me.

To 'Server 2/domain y' I've tried adding an "ALLOW" header to the HTTP Response Headers in IIS at the instance level, default level and web adaptor level, as well as modifying the web.config for the web adaptor, but I can't shake the 'SAMEORIGIN' header.

The best I end up with is 'SAMEORIGIN' and 'ALLOW', which falls back to 'DENY'.

Am I headed in the right direction, but just not going far enough? Or am I off track?

Not sure if I need to restart anything after any of the above changes either?
Tags (2)
0 Kudos
3 Replies
RandallWilliams
Esri Regular Contributor
Is this issue perhaps related to CORS?

http://enable-cors.org
0 Kudos
KeithSandell1
New Contributor II
Is this issue perhaps related to CORS?

http://enable-cors.org


"Related"? Absolutely not. It's all about CORS!

The clientaccesspolicy and crossdomain xml files are set to allow access to everyone and their brother.

I've "added" custom headers to IIS at every level. I've "added" custom headers to the default site and to the web adaptor.

I've done these in every conceivable combination, or singularly, I can think of, but I've gotten nowhere.
Alexwang
Occasional Contributor II

HI Keith, have you found a solution? I had the exact issue and tried adding ALLOW-FROM at application level and web adapter level, but no luck. Thanks so much for any suggestions. 

0 Kudos