NGINX X-Frame-Options allow only from single page

Question

I am trying to setup my vHost to allow iframes from only one subdomain of our network. Before we had:

add_header X-Frame-Options "SAMEORIGIN"; on all our pages.

To accomplish what I want to do I tried:

add_header X-Frame-Options https://somewebsite.com;

This ends up allowing iframes as wanted but it allows them from every domain not just from https://somewebsite.com.

How can I deny iframes from all external pages but allow them from one subdomain?

Side info:

both sites run on the same machine.

score 2 · Answer 1 · edited Oct 07 '21 at 07:34

2

The RFC for the X-Frame-Options header states that valid options for the header are:

So, first off you need to add ALLOW-FROM then specify the URI of your subdomain. Something like this:

ALLOW-FROM https://subdomain.example.com/

edited Oct 07 '21 at 07:34

Community

answered Feb 08 '16 at 17:09

heavyd

I added `add_header X-Frame-Options "ALLOW-FROM https://sub.example.com";` to my vHost configuration file. This ends in the same behaviour as before --> iframing is allowed from any domain. Does the used Browser have an effect on this. I am using Google Chrome (48.0.2564.103) – Flatron Feb 08 '16 at 17:17
3

See the table at the bottom of [this page](https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options). Apparently Chrome does not support `ALLOW-FROM`. – heavyd Feb 08 '16 at 17:48
How can I enable multiple URI only? – BDN Apr 15 '20 at 13:20

1 Answers1