Menu
I want to know whether it's possible to support X-Frame-Options for a different subdomain of same domain.
897
A subdomain is, as the name would suggest, an additional section of your main domain name. You create subdomains to help organize and navigate to different sections of your main website. Within your main domain, you can have as many subdomains as necessary to get to all of the different pages of your website.
X-Frame-Options:SAMEORIGIN - This means that the page can only be embedded in a frame on a page with the same origin as itself. X-Frame-Options:ALLOW-FROM - The page can only be displayed in a frame on the specified origin. This only works in browsers that support this header.
The Basics of the Same-Origin Policy One such restriction is that scrips executing on http://example.com are not allowed to access resources on http://subdomain.example.com . Restrictions are applied based on the document's origin where an origin is defined in RFC 6454 Section 4.
'Multiple X-Frame-Options Header Entries' can result in only one 'X-Frame-Options' HTTP header being applied and the rest of them ignored or the configuration being incorrectly applied by the web browser.
There is an ALLOW-FROM uri for X-Frame-Options (honestly I haven't found a good example with multiple uri's). Unfortunately it is not supported by that many browser according to OWASP (although the article seems a bit outdated). It is recommended that you use CSP (Content Security Policy)
174
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
