I am working on implementing prevention of Clickjacking for our site. I started by adding header X-Frame-Options : sameorigin. With this Our site cannot be loaded into any iframes hosted by any other sites, so Clickjacking part worked fine.
Now the problem, we have few pages where we are using iframes to load Authorize.Net CIM hosted forms which is making use of iframeCommunicator Url option for cross domain communication. After adding X-Frame-Options header the hosted form is not communicating with the payment gateway.
I am getting below error in console:
Refused to display 'http://localhost:44352/examplesite/payment/iFrameCommunicator#action=resizeWindow&width=1106&height=152' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
The above error came for the header I set inside webconfig as below
<add name="X-FRAME-OPTIONS" value="SAMEORIGIN" />
Other settings that I have tried :
<add name="X-Content-Security-Policy" value="frame-ancestors 'self' *.example.net*" />
<add name="Content-Security-Policy" value="frame-ancestors 'self' *.example.net*" />
where *.example.net* is the payment gateway url used for fetching hosted form.
Are there some some more settings that I need to add to load hosted forms while X-Frame-Options is enabled ?
I found post which was related to problem I was facing. I have solved my issue, It was not related to Authorize.Net, there was an extra asterisk at the end of the *.example.net in the header setting causing the issue.