I am trying to allow some particular domain to access my site via iframe
Header set X-Frame-Options ALLOW-FROM https://www.example.com
I know this could be done by add the line above to the config of Apache server.
Two questions here.
- which config file should be added to? The Apache running on both Unix and windows, if not the same file
- while enable the all-from, I still want to be able to run some iframe from my own domain. Can I just add the following line after the allow-from?Header set X-Frame-Options SAMEORIGIN
Or I should just add my own domain in the all-from, ie
Header set X-Frame-Options ALLOW-FROM https://www.example.com, http://www.my-own-domain.exampleI too have a similar situation. For security reasons (pci requirement) I’ve added Header append X-FRAME-OPTIONS "SAMEORIGIN" to the .htaccess inside DocumentRoot. However, I tried adding the following to allow pages to be embedded in tweets. Unfortunately, not much luck. I tried adding the following to .htaccess under blog/ sub-directory. Header always append X-FRAME-OPTIONS ALLOW-FROM http://ht.ly/
- You can add to
.htaccess,httpd.conforVirtualHostsection Header set X-Frame-Options SAMEORIGINthis is the best option
Allow from URI is not supported by all browsers. Reference: X-Frame-Options on MDN
@Raptor maybe in older versiones, because right now Chrome DO support ALLOW-FROM, I’m browsing an intranet site with iframes whose sites set the X-Frame-Options to this and I can view them without problems.
using apache on ubuntu 18.04 i needed to edit the /etc/apache2/conf-enabled/ssl-params.conf and replace the ‘Header always set X-Frame-Options DENY’ with ‘Header always append X-Frame-Options SAMEORIGIN’ and restart the apache service.
I wasted a lot of time expecting this to work in a VirtualHost section but it simply didn’t (Apache/2.4.6 CentOS). Maybe try putting it in the main body of httpd.conf if you’re having this problem.
– iforce2dJan 10, 2023 at 5:46
See X-Frame-Options header on error response
You can simply add following line to .htaccess
Header always unset X-Frame-Options- This is only useful if you’re looking to disable X-Frame-Options completely – which in some cases is not always the correct solution. Allowing Optimizely to function requires managing X-Frame-Options which also means constantly updating it. All websites should be using X-Frame-Options to increase their website security for their visitors. – Daniel Kenney Oct 22, 2015 at 2:50
- Thanks! I was getting Refused to display ‘example.com/admin/top.php‘ in a frame because it set multiple ‘X-Frame-Options’ headers with conflicting values (‘DENY, SAMEORIGIN’). Falling back to ‘deny’. It worked!! – PJunior Oct 31, 2018 at 9:31
Thanks a lot! This resolved it, my header values were set to DENY, SAMEORIGIN and were falling back to DENY updating in VirtualHosts, Apache Config and htaccess wasn’t working.
– Shubh ShethMar 20, 2020 at 6:59
What did it for me was the following, I’ve added the following directive in both the HTTP <VirtualHost *:80> and HTTPS <VirtualHost *:443> virtual host blocks:
ServerName example.com
ServerAlias www.example.com
Header always unset X-Frame-Options
Header set X-Frame-Options "SAMEORIGIN"The reasoning behind this? Well by default if set, the server does not reset the X-Frame-Options header so we need to first always remove the default value, in my case it was DENY, and then with the next rule we set it to the desired value, in my case SAMEORIGIN. Of course you can use the Header set X-Frame-Options ALLOW-FROM ... rule as well.
you have to enable mod_headers first in your server
sudo a2enmod headers
sudo service apache2 restart
This worked for me on all browsers:
- Created one page with all my javascript
- Created a 2nd page on the same server and embedded the first page using the object tag.
- On my third party site I used the Object tag to embed the 2nd page.
- Created a .htaccess file on the original server in the public_html folder and put Header unset X-Frame-Options in it.
I found that if the application within the httpd server has a rule like “if the X-Frame-Options header exists and has a value, leave it alone; otherwise add the header X-Frame-Options: SAMEORIGIN” then an httpd.conf mod_headers rule like “Header always unset X-Frame-Options” would not suffice. The SAMEORIGIN value would always reach the client.
To remedy this, I add two, not one, mod_headers rules (in the outermost httpd.conf file):
Header set X-Frame-Options ALLOW-FROM http://example.com early
Header unset X-Frame-Options
The first rule tells any internal request handler that some other agent has taken responsibility for clickjack prevention and it can skip its attempt to save the world. It runs with “early” processing. The second rule strips off the entirely unwanted X-Frame-Options header. It runs with “late” processing.
I also add the appropriate Content-Security-Policy headers so that the world remains protected yet multi-sourced JavaScript from trusted sites still gets to run.
source from https://stackoverflow.com/questions/17092154/x-frame-options-on-apache