Hi Vahid,

What issue you are seeing when you use this on inner pages?

Your site can have Content-Security-Policy headers that prevent it from being iframed.

Thanks , I am gettin refused to connect error.

I can see that the response header X-Frame-Options set as same origin. but how can I change the header to Content-Security-Policy in Episerver and does it have any risk?

Take a look at this page for an explanation and an example of configuration at the very bottom:
https://content-security-policy.com/

I do not think this is added by default, so I suspect you will find it if you search your code solution for "Content-Security-Policy".

If you want to change the CSP-header for specific pages, you could create an IHttpModule and add the header in OnPreSendRequestHeaders.

Vahid, see X-Frame-Options: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options#Configuring_IIS

In your web[.]config (or transformation file) see if you have something like this under system.webServer section:

<httpProtocol>
   <customHeaders>
      <!-- security audits like this -->
      <remove name="X-Powered-By" />
      <!-- add headers to improve security -->
      <add name="X-Content-Type-Options" value="nosniff" />
      <add name="X-XSS-Protection" value="1; mode=block" />
      <add name="X-Frame-Options" value="SAMEORIGIN" />
   </customHeaders>
</httpProtocol>

BUT for that your options are limited to: DENY or SAMEORIGIN.

So you should remove that setting if you have it and then use CSP to limit who/what can load the page to an iframe.