NGINX X-Frame-Options allow only from single page
24,724
The RFC for the X-Frame-Options
header states that valid options for the header are:
DENY
SAMEORIGIN
ALLOW-FROM <uri>
So, first off you need to add ALLOW-FROM
then specify the URI of your subdomain. Something like this:
ALLOW-FROM https://subdomain.example.com/
Related videos on Youtube
![Flatron](https://i.stack.imgur.com/L7ydq.jpg?s=256&g=1)
Author by
Flatron
Updated on September 18, 2022Comments
-
Flatron almost 2 years
I am trying to setup my vHost to allow iframes from only one subdomain of our network. Before we had:
add_header X-Frame-Options "SAMEORIGIN";
on all our pages.To accomplish what I want to do I tried:
add_header X-Frame-Options https://somewebsite.com;
This ends up allowing iframes as wanted but it allows them from every domain not just from
https://somewebsite.com
.How can I deny iframes from all external pages but allow them from one subdomain?
Side info:
both sites run on the same machine.
-
Flatron over 8 yearsI added
add_header X-Frame-Options "ALLOW-FROM https://sub.example.com";
to my vHost configuration file. This ends in the same behaviour as before --> iframing is allowed from any domain. Does the used Browser have an effect on this. I am using Google Chrome (48.0.2564.103) -
heavyd over 8 yearsSee the table at the bottom of this page. Apparently Chrome does not support
ALLOW-FROM
. -
BDN about 4 yearsHow can I enable multiple URI only?