I have an Angular 15 app hosted on Azure IIS that works correctly with a web.config file and I have X-Frame-Options set to "deny". However there is one path I would like to allow to be iFramed (as part of Azure authentication) but I am not able to modify the web.config to make it work. I can only either have everything "deny" or everything "allow".
Here is my web.config file where I have a rule on the main configuration that skips the rewrite if the url is "empty". Then I set up a location "empty" (i.e. https://myserver.com/empty) that is the same config with X-Frame-Options change to allow. However, I get 500 error "The page cannot be displayed because an internal server error has occurred".
If I remove the location and the rule with action="None" the empty page can be displayed with no error. Is there something I am missing?
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="deny" />
</customHeaders>
</httpProtocol>
<staticContent>
<mimeMap fileExtension=".json" mimeType="application/json" />
<remove fileExtension=".woff" />
<mimeMap fileExtension=".woff" mimeType="application/font-woff" />
<mimeMap fileExtension=".woff2" mimeType="font/woff2" />
</staticContent>
<rewrite>
<rules>
<rule name="Empty Angular Route" stopProcessing="true">
<match url="empty" />
<action type="None" />
</rule>
<rule name="Angular Route" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
</conditions>
<action type="Rewrite" url="./index.html" />
</rule>
</rules>
</rewrite>
</system.webServer>
<location path="empty">
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Frame-Options"/>
</customHeaders>
</httpProtocol>
<staticContent>
<mimeMap fileExtension=".json" mimeType="application/json" />
<remove fileExtension=".woff" />
<mimeMap fileExtension=".woff" mimeType="application/font-woff" />
<mimeMap fileExtension=".woff2" mimeType="font/woff2" />
</staticContent>
<rewrite>
<rules>
<rule name="Empty Angular Route" stopProcessing="true">
<match url="empty" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
</conditions>
<action type="Rewrite" url="./index.html" />
</rule>
</rules>
</rewrite>
</system.webServer>
</location>
</configuration>
Edit: Interestingly enough, I can get it to work with a static html page. Angular app is set to "deny" but the html page is set to "allow"
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="deny" />
</customHeaders>
</httpProtocol>
<staticContent>
<mimeMap fileExtension=".json" mimeType="application/json" />
<remove fileExtension=".woff" />
<mimeMap fileExtension=".woff" mimeType="application/font-woff" />
<mimeMap fileExtension=".woff2" mimeType="font/woff2" />
</staticContent>
<rewrite>
<rules>
<rule name="Empty Page" stopProcessing="true">
<match url="empty.html" />
<action type="None" />
</rule>
<rule name="Angular Routes" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
</conditions>
<action type="Rewrite" url="./index.html" />
</rule>
</rules>
</rewrite>
</system.webServer>
<location path="empty.html">
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Frame-Options" />
</customHeaders>
</httpProtocol>
</system.webServer>
</location>
</configuration>