I have a client who uses ColdFusion 10 and IIS 7.5 on Win 2k3 R2. The ColdFusion admin uses frames. When I log into the CF admin I'm seeing a blank white screen in Chrome and in IE I am seeing a message telling me this:
This content cannot be displayed in a frame
To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame.
I see a few of this message (1 for each frame) in the chrome dev console:
Refused to display 'http://localhost/CFIDE/Administrator/navserver.cfm' in a frame because it set 'X-Frame-Options' to 'DENY'.
Looking at the response headers in Chrome, I can see that this is set to DENY.
I can't figure out where this is coming from. All of the sites on this server now are outputting this header. I never explicitly configured anything to output this header. I know CF wouldn't have done so in a patch because it would break its own admin interface.
IIS's root server-wide configuration HTTP Response Headers doesn't have a X-Frame-Options set and neither do any of the configured websites.
If I explicitly add an X-Frame-Options header and set it to sameorigin I see both headers (deny and sameorigin).
Is there perhaps some software the client's security team might have installed that would be injecting this header?
I'm accessing the site on localhost so I can't imagine that it's a network device causing the problem. It must be on the server itself, right?
Any ideas?
This could be set within ColdFusion, assuming it's been locked down. Look in (instancename)/wwwroot/WEB-INF/web.xml for the rules around clickjack. Might look something like this:
<filter-mapping>
<filter-name>CFClickJackFilterDeny</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Another way to test to see if this is being caused by IIS is to set up a frame sample with straight HTML pages and if it works the block is at the ColdFusion level. If straight HTML does not work then it is happening at IIS or some other server location.
In IIS, HTTP Response Headers can be set server-wide (affecting all sites) and/or site-wide (affecting only the current site).
Reading your question again, I see I may not have helped you. Good luck.