Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to set X-Frame Options to ALLOW-FROM https://example.com and SAMEORIGIN on server

Tags:

webserver

iframe

x-frame-options

I have a requirement to set the X-Frame options on the server level to either:

  • X-Frame-Options: SAMEORIGIN
  • X-Frame-Options: ALLOW-FROM https://example.com/

Understand that X-Frame Options are mutually exclusive. See here.

However, my application requires framing in https://example.com and also from its SAMEORIGIN.

Please advise if there is a way around this while retainining my application's requirement to having allow framing on the same origin and be framed on 1 external site.

Or is this impossible?

like image 655
user3188291 Avatar asked Jul 20 '17 02:07

user3188291

People also ask

How do I set X Frame options on my server?

Double-click the HTTP Response Headers icon in the feature list in the middle. In the Actions pane on the right side, click Add. In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field. Click OK to save your changes.

What is Sameorigin in X Frame options?

X-Frame-Options:SAMEORIGIN - This means that the page can only be embedded in a frame on a page with the same origin as itself. X-Frame-Options:ALLOW-FROM - The page can only be displayed in a frame on the specified origin. This only works in browsers that support this header.

Is X Frame options Sameorigin secure?

X-Frame-Options allows content publishers to prevent their own content from being used in an invisible frame by attackers. The DENY option is the most secure, preventing any use of the current page in a frame. More commonly, SAMEORIGIN is used, as it does enable the use of frames, but limits them to the current domain.

How do I enable X Frame option policy?

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> , <iframe> , <embed> or <object> . Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

1 Answers

In addition to only supporting one instance of the header, X-Frame-Options does not support any more than just one site, SAMEORIGIN or not.

You'll have to use Content-Security-Policy and frame-ancestors, which does support multiple origins, like so:

Content-Security-Policy: frame-ancestors 'self' https://example.com

A couple notes to bear in mind:

  • frame-ancestors obsoletes X-Frame-Options - meaning that if frame-ancestors is present and the browser supports it, it will override the behaviour of X-Frame-Options.
  • Internet Explorer and Edge do not currently support the frame-ancestors directive, according to MDN. This means they will fall back to X-Frame-Options. If you need to support multiple origins in IE or Edge, see this answer on SO with a workaround.
like image 148
Adaline Simonian Avatar answered Oct 23 '22 13:10

Adaline Simonian
Sign in to Comment

Related questions

Accessing cookies of an iFrame in parent window
How can I stop an iframe reloading when I change its position in the DOM?
How can I get the value of an attribute inside an iframe from parent in Javascript?
Unsafe JavaScript attempt to initiate navigation for frame with URL
How to remove the "Be the first of your friends to like this" part of the standard iframe Facebook Like button?
Need to break out of iframe after content in iframe is submitted
How to "allow-from" more than one domain for "X-Frame-Options" in Rails 4 controller?
Cross-Domain iframe communication
Submitting a form in an iframe with JavaScript
Selenium WebDriver: How to wait for iFrames to load completely?
SSL iframe in and SSL page from a different domain
communication between two iframe children using postMessage
python beautifulsoup iframe document html extract
How to do auto-width with HTML IFrame
Does html5 local storage store per iframe?
How to set X-Frame-Options in express.js node.js
jQuery add iFrame with content
Iframe does not trigger resize event
Hide/show in JavaScript - stop playing YouTube iframe video [closed]
How to postMessage into iFrame?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!