Menu
I am trying to allow some particular domain to access my site via iframe
Header set X-Frame-Options ALLOW-FROM https://www.that-site.com I know this could be done by add the line above to the config of Apache server.
Two questions here.
1) which config file should be added to? The apache running on both Unix and windows, if not the same file
2) while enable the all-from, I still want to be able to run some iframe from my own domain. Can I just add the following line after the allow-from?
Header set X-Frame-Options SAMEORIGIN Or I should just add my own domain in the all-from, ie
Header set X-Frame-Options ALLOW-FROM https://www.that-site.com, http://www.my-own-domain.com Really need to get this solved out. Thanks in advance
449
Double-click the HTTP Response Headers icon in the feature list in the middle. In the Actions pane on the right side, click Add. In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field. Click OK to save your changes.
X-Frame-Options allows content publishers to prevent their own content from being used in an invisible frame by attackers. The DENY option is the most secure, preventing any use of the current page in a frame. More commonly, SAMEORIGIN is used, as it does enable the use of frames, but limits them to the current domain.
.htaccess, httpd.conf or VirtualHost sectionHeader set X-Frame-Options SAMEORIGIN this is the best optionAllow from URI is not supported by all browsers. Reference: X-Frame-Options on MDN
166
See X-Frame-Options header on error response
You can simply add following line to .htaccess
Header always unset X-Frame-Options If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
