X-Frame-Options Header Bypass via XML Stylesheet

The X-Frame-Options header is supposed to prevent a page from being embedded in an iFrame on another domain. I found that loading XML content inside an iFrame and referencing the protected URL as the XSL stylesheet allowed it to render in the iFrame regardless of its X-Frame-Options header. The browser fetches the stylesheet URL and displays its transformed output, effectively framing the content.

<!-- xml.xml (loaded inside the iFrame) -->
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<?xml-stylesheet type="text/xsl" href="xframe.aspx"?>
<xml></xml>

<!-- index.html -->
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />

<iframe src="xml.xml" width="600" height="120"></iframe>

The xframe.aspx server-side file sends X-Frame-Options: DENY or SAMEORIGIN, but because it is loaded as a stylesheet (not as a document URL), the header is ignored. The XML-stylesheet processing instruction bypasses the framing protection entirely. This was related to MSRC #11351 and worked on IE8, IE9, and IE10.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9 DoS: Executing a Script in a Cached HTC Document After It Is Destroyed] :: [DoS: Silverlight Content Object Cached Across Page Reload] >