Views: 9332
Last Modified: 12.09.2014

The limits on the frame work can be activated/deactivated on the page Anti-frame protection (Settings > Proactive Protection > Anti-frame protection).

The prohibition to use of cross-domain frames referring to resource pages is introduced by setting the header X-Frame-Options to the value SAMEORIGIN.


This header indicates to the browser if website pages can be loaded through <frame>/<iframe>.

The DENY value will prohibit loading through frames, the SAMEORIGIN value will permit loading through frames, provided that both the frame and the page that loads such frame are located on the same domain (Same Origin Policy).

The main function of this protection consists in preventing click-jacking. As an additional advantage, it will permit you to prevent the attack described by Ben Schmidt.

If necessary you can add your page to the exceptions by defining the constant B_SECURITY_FRAME as false before connecting the core.

Courses developed by Bitrix24