SyntaxFix

[apache] X-Frame-Options on apache

I am trying to allow some particular domain to access my site via iframe 

Header set X-Frame-Options ALLOW-FROM https://www.that-site.com

I know this could be done by add the line above to the config of Apache server.

Two questions here.

1) which config file should be added to? The apache running on both Unix and windows, if not the same file

2) while enable the all-from, I still want to be able to run some iframe from my own domain. Can I just add the following line after the allow-from? 

 Header set X-Frame-Options SAMEORIGIN

Or I should just add my own domain in the all-from, ie 

 Header set X-Frame-Options ALLOW-FROM https://www.that-site.com, http://www.my-own-domain.com

Really need to get this solved out. Thanks in advance

This question is related to apache cross-browser x-frame-options clickjacking

The answer is

I found that if the application within the httpd server has a rule like "if the X-Frame-Options header exists and has a value, leave it alone; otherwise add the header X-Frame-Options: SAMEORIGIN" then an httpd.conf mod_headers rule like "Header always unset X-Frame-Options" would not suffice. The SAMEORIGIN value would always reach the client.

To remedy this, I add two, not one, mod_headers rules (in the outermost httpd.conf file):

Header set X-Frame-Options ALLOW-FROM http://to.be.deleted.com early
Header unset X-Frame-Options

The first rule tells any internal request handler that some other agent has taken responsibility for clickjack prevention and it can skip its attempt to save the world. It runs with "early" processing. The second rule strips off the entirely unwanted X-Frame-Options header. It runs with "late" processing.

I also add the appropriate Content-Security-Policy headers so that the world remains protected yet multi-sourced Javascript from trusted sites still gets to run.

This worked for me on all browsers:

  1. Created one page with all my javascript
  2. Created a 2nd page on the same server and embedded the first page using the object tag.
  3. On my third party site I used the Object tag to embed the 2nd page.
  4. Created a .htaccess file on the original server in the public_html folder and put Header unset X-Frame-Options in it.

See X-Frame-Options header on error response

You can simply add following line to .htaccess

Header always unset X-Frame-Options
  1. You can add to .htaccess, httpd.conf or VirtualHost section
  2. Header set X-Frame-Options SAMEORIGIN this is the best option

Allow from URI is not supported by all browsers. Reference: X-Frame-Options on MDN

What did it for me was the following, I've added the following directive in both the http <VirtualHost *:80> and https <VirtualHost *:443> virtual host blocks:

ServerName your-app.com
ServerAlias www.your-app.com

Header always unset X-Frame-Options
Header set X-Frame-Options "SAMEORIGIN"

The reasoning behind this? Well by default if set, the server does not reset the X-Frame-Options header so we need to first always remove the default value, in my case it was DENY, and then with the next rule we set it to the desired value, in my case SAMEORIGIN. Of course you can use the Header set X-Frame-Options ALLOW-FROM ... rule as well.

Source: Stackoverflow.com

Examples related to apache

Enable PHP Apache2 Switch php versions on commandline ubuntu 16.04 Laravel: PDOException: could not find driver How to deploy a React App on Apache web server Apache POI error loading XSSFWorkbook class How to enable directory listing in apache web server Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details How to enable php7 module in apache? java.lang.RuntimeException: Unable to instantiate org.apache.hadoop.hive.ql.metadata.SessionHiveMetaStoreClient The program can't start because api-ms-win-crt-runtime-l1-1-0.dll is missing while starting Apache server on my computer

Examples related to cross-browser

Show datalist labels but submit the actual value Stupid error: Failed to load resource: net::ERR_CACHE_MISS Click to call html How to Detect Browser Back Button event - Cross Browser How can I make window.showmodaldialog work in chrome 37? Cross-browser custom styling for file upload button Flexbox and Internet Explorer 11 (display:flex in <html>?) browser sessionStorage. share between tabs? How to know whether refresh button or browser back button is clicked in Firefox CSS Custom Dropdown Select that works across all browsers IE7+ FF Webkit

Examples related to x-frame-options

How to disable 'X-Frame-Options' response header in Spring Security? How to set 'X-Frame-Options' on iframe? X-Frame-Options on apache X-Frame-Options: ALLOW-FROM in firefox and chrome Overcoming "Display forbidden by X-Frame-Options" How Can I Bypass the X-Frame-Options: SAMEORIGIN HTTP Header?

Examples related to clickjacking

X-Frame-Options on apache X-Frame-Options: ALLOW-FROM in firefox and chrome

Tags

Goal-tracking Mod-alias Ln Stackless Configparser Kylix Tilde Plexus Ipfw Method-call System.drawing.imaging Lazy-loading Pad Tryparse Beehive Outofrangeexception Flowlayout Vbox Generator-expression Apache-pig Invocation Rewrite Sspi Ambiguous Memory-bandwidth Monostate Ubuntu-9.10 Icriteria Tfs-workitem Tasklist Xact Smalldatetime Plaintext Request-headers Mvcroutehandler Ora-01008 Movefileex Istream Filenet-p8 Inno-setup Mpeg Android-vibration Tweener Zx81 Rendertarget Html-frames Server-tags Registerclientscriptblock Hash-reference Noise Objectstatemanager Backend Poster Spnego Strongly-typed-dataset Icollection Model-checking Xdr Bootp Environment Template-method-pattern Locallib Data-layer Helpfile Ase Android-xml Non-modal Sqlworkflowpersistencese Ofbiz Mismatch Autonomy Ltpa Global-scope Phpquery Transmission Squirrelfish Pdostatement Maven-nar-plugin Rgba Plugin.xml Text-indent Audio-recording Firewatir Openargs Image-extraction Stemming Shebang Uptime System.xml Mogenerator Readline Svn-reintegrate Mcmc Required-field User-variables Xmltype Divide-by-zero Jqxhr Levels Wss-3.0-sp2