How can the x-frame-options HTTP header of ADFS 3 be manipulated?

By default, ADFS 3 responses contain the “X-Frame-Options: DENY” HTTP header. This prevents ADFS from being run in an iframe, because this presents an opportunity for clickjacking attacks.

At the moment my company is however implementing an integration where an exception should be made to this security rule: pages on a certain domain should be able to embed ADFS in an iframe.

It seems however that ADFS does not allow changing this out-of-the box. So what is the best way to modify this HTTP header?

For example as suggested in the RFC (

  1. A page that wants to render the requested content in a frame
    supplies its own origin information to the server providing the
    content to be framed via a query string parameter.

  2. The server verifies that the hostname meets its criteria, so that
    the page is allowed to be framed by the target resource. This
    may, for example, happen via a lookup of a whitelist of trusted
    domain names that are allowed to frame the page. For example,
    for a Facebook “Like” button, the server can check to see that
    the supplied hostname matches the hostname(s) expected for that
    “Like” button.

  3. The server returns the hostname in “X-Frame-Options: ALLOW-FROM”
    if the proper criteria was met in step #2.

  4. The browser enforces the “X-Frame-Options: ALLOW-FROM” header.


Leave a Reply