X-Frame-Options on apache

Question

I am trying to allow some particular domain to access my site via iframe

Header set X-Frame-Options ALLOW-FROM https://www.that-site.com

I know this could be done by add the line above to the config of Apache server.

Two questions here.

1) which config file should be added to? The apache running on both Unix and windows, if not the same file

2) while enable the all-from, I still want to be able to run some iframe from my own domain. Can I just add the following line after the allow-from?

 Header set X-Frame-Options SAMEORIGIN

Or I should just add my own domain in the all-from, ie

 Header set X-Frame-Options ALLOW-FROM https://www.that-site.com, http://www.my-own-domain.com

Really need to get this solved out. Thanks in advance

Answer 1

1. You can add to .htaccess, httpd.conf or VirtualHost section
2. Header set X-Frame-Options SAMEORIGIN this is the best option

Allow from URI is not supported by all browsers. Reference: X-Frame-Options on MDN

Answer 2

See X-Frame-Options header on error response

You can simply add following line to .htaccess

Header always unset X-Frame-Options

Answer 3

This worked for me on all browsers:

1. Created one page with all my javascript
2. Created a 2nd page on the same server and embedded the first page using the object tag.
3. On my third party site I used the Object tag to embed the 2nd page.
4. Created a .htaccess file on the original server in the public_html folder and put Header unset X-Frame-Options in it.

Answer 4

I found that if the application within the httpd server has a rule like "if the X-Frame-Options header exists and has a value, leave it alone; otherwise add the header X-Frame-Options: SAMEORIGIN" then an httpd.conf mod_headers rule like "Header always unset X-Frame-Options" would not suffice. The SAMEORIGIN value would always reach the client.

To remedy this, I add two, not one, mod_headers rules (in the outermost httpd.conf file):

Header set X-Frame-Options ALLOW-FROM http://to.be.deleted.com early
Header unset X-Frame-Options

The first rule tells any internal request handler that some other agent has taken responsibility for clickjack prevention and it can skip its attempt to save the world. It runs with "early" processing. The second rule strips off the entirely unwanted X-Frame-Options header. It runs with "late" processing.

I also add the appropriate Content-Security-Policy headers so that the world remains protected yet multi-sourced Javascript from trusted sites still gets to run.