发表新帖
发表新帖

X-Frame-Options on apache

前端 未结
关注
5 1345
猫巷女王i
猫巷女王i 2020-12-13 06:23

I am trying to allow some particular domain to access my site via iframe 

Header set X-Frame-Options ALLOW-FROM https://www.that-site.com

I

相关标签:
5条回答
  • 花落未央
    2020-12-13 06:56

    I found that if the application within the httpd server has a rule like "if the X-Frame-Options header exists and has a value, leave it alone; otherwise add the header X-Frame-Options: SAMEORIGIN" then an httpd.conf mod_headers rule like "Header always unset X-Frame-Options" would not suffice. The SAMEORIGIN value would always reach the client.

    To remedy this, I add two, not one, mod_headers rules (in the outermost httpd.conf file):

    Header set X-Frame-Options ALLOW-FROM http://to.be.deleted.com early
Header unset X-Frame-Options

    The first rule tells any internal request handler that some other agent has taken responsibility for clickjack prevention and it can skip its attempt to save the world. It runs with "early" processing. The second rule strips off the entirely unwanted X-Frame-Options header. It runs with "late" processing.

    I also add the appropriate Content-Security-Policy headers so that the world remains protected yet multi-sourced Javascript from trusted sites still gets to run.

    0 讨论(0)
  • 情话喂你
    2020-12-13 07:01

    This worked for me on all browsers:

    1. Created one page with all my javascript
    2. Created a 2nd page on the same server and embedded the first page using the object tag.
    3. On my third party site I used the Object tag to embed the 2nd page.
    4. Created a .htaccess file on the original server in the public_html folder and put Header unset X-Frame-Options in it.
    0 讨论(0)
  • 爱一瞬间的悲伤
    2020-12-13 07:02

    What did it for me was the following, I've added the following directive in both the http <VirtualHost *:80> and https <VirtualHost *:443> virtual host blocks:

    ServerName your-app.com
ServerAlias www.your-app.com

Header always unset X-Frame-Options
Header set X-Frame-Options "SAMEORIGIN"

    The reasoning behind this? Well by default if set, the server does not reset the X-Frame-Options header so we need to first always remove the default value, in my case it was DENY, and then with the next rule we set it to the desired value, in my case SAMEORIGIN. Of course you can use the Header set X-Frame-Options ALLOW-FROM ... rule as well.

    0 讨论(0)
  • 借酒劲吻你
    2020-12-13 07:05

    See X-Frame-Options header on error response

    You can simply add following line to .htaccess

    Header always unset X-Frame-Options
    0 讨论(0)
  • 长发绾君心
    2020-12-13 07:09
    1. You can add to .htaccess, httpd.conf or VirtualHost section
    2. Header set X-Frame-Options SAMEORIGIN this is the best option

    Allow from URI is not supported by all browsers. Reference: X-Frame-Options on MDN

    0 讨论(0)
 看不清?
提交回复
热议问题