Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

X-Frame-Options Allow-From multiple domains

I have an ASP.NET 4.0 IIS7.5 site which I need secured using the X-Frame-Options header.

I also need to enable my site pages to be iframed from my same domain as well as from my facebook app.

Currently I have my site configured with a site headed of:

Response.Headers.Add("X-Frame-Options", "ALLOW-FROM SAMEDOMAIN, www.facebook.com/MyFBSite") 

When I viewed my Facebook page with Chrome or Firefox my sites pages (being iframed with my facebook page) are display ok, but under IE9, I get the error:

"this page cannot be displayed…" (because of the X-Frame_Options restriction).

How do I set the X-Frame-Options: ALLOW-FROM to support more than a single domain?

X-FRAME-OPTION being a new feature seems fundamentally flawed if only a single domain can be defined.

like image 477
user1340663 Avatar asked Apr 18 '12 07:04

user1340663


People also ask

How do I set X-Frame-options to allow all?

You can then send a X-Frame-Options response HTTP header with the value: "Allow-From ip-address", where ip address is the remote ip address that is trying to embed content on your server. This will allow your website to be embedded by all websites that are accessed using an ip address from the browser.

Is X-Frame-options deprecated?

X-Frame-Options Deprecated While the X-Frame-Options header is supported by the major browsers, it has been obsoleted in favour of the frame-ancestors directive from the CSP Level 2 specification.

What does X-Frame-options SAMEORIGIN mean?

X-Frame-Options:SAMEORIGIN - This means that the page can only be embedded in a frame on a page with the same origin as itself. X-Frame-Options:ALLOW-FROM - The page can only be displayed in a frame on the specified origin. This only works in browsers that support this header.

Does Chrome support X-Frame-options allow-From?

Chrome does not support the ALLOW-FROM directive in X-Frame-Options. So if we are going to do anything involving other domains, we need something similar. We can stitch together a patchwork configuration involving both headers, which does something more than just allow same-origin framing.


1 Answers

X-Frame-Options is deprecated. From MDN:

This feature has been removed from the Web standards. Though some browsers may still support it, it is in the process of being dropped. Do not use it in old or new projects. Pages or Web apps using it may break at any time.

The modern alternative is the Content-Security-Policy header, which along many other policies can white-list what URLs are allowed to host your page in a frame, using the frame-ancestors directive.
frame-ancestors supports multiple domains and even wildcards, for example:

Content-Security-Policy: frame-ancestors 'self' example.com *.example.net ; 

Unfortunately, for now, Internet Explorer does not fully support Content-Security-Policy.

UPDATE: MDN has removed their deprecation comment. Here's a similar comment from W3C's Content Security Policy Level

The frame-ancestors directive obsoletes the X-Frame-Options header. If a resource has both policies, the frame-ancestors policy SHOULD be enforced and the X-Frame-Options policy SHOULD be ignored.

like image 131
Kobi Avatar answered Nov 15 '22 16:11

Kobi