logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



X-Frame-Options Allow-From?

 
Post new topic   Reply to topic    Apache Forum Index -> Apache



View previous topic :: View next topic  
Author Message
alexjohnb



Joined: 26 Aug 2011
Posts: 19
Location: Middlesex University

PostPosted: Thu 18 May '17 13:17    Post subject: X-Frame-Options Allow-From? Reply with quote

Hi,

Any suggestions on how to configure Apache with the ALLOW-FROM option of the X-Frame-Options directive?

Up til today I had no problem with this line having the desired effect in the httpd.conf file:

Header always append X-Frame-Options SAMEORIGIN

But now I've been asked to use the ALLOW-FROM option, and I cannot get it to take effect, whatever I try. The web server starts fine, but there are no exceptions applied. Currently, I have this in httpd.conf:

<IfModule mod_headers.c>
# Allow some urls, block all others; whitelisting
<LocationMatch ^((?!(somewebsite)).)*$>
Header always append X-Frame-Options SAMEORIGIN
</LocationMatch>
</IfModule>

As I say, the web server starts, but there are no exceptions to the X-Frame-Options SAMEORIGIN. Any ideas, many thank!
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2101
Location: Sun Diego, USA

PostPosted: Thu 18 May '17 20:57    Post subject: Reply with quote

Header always set X-FRAME-OPTIONS "ALLOW-FROM http://www.example.com" ... note the quotes

Browsers Chrome & Safari ignore ALLOW-FROM and instead uses the Content-Security-Policy header with "frame-ancestors".
Back to top
alexjohnb



Joined: 26 Aug 2011
Posts: 19
Location: Middlesex University

PostPosted: Fri 19 May '17 6:45    Post subject: Reply with quote

Thank you, glsmith. My colleague alerted me to the fact that the problem had been resolved when she viewed her web site in Internet Explorer, but not when when she viewed it via Chrome or Mozilla Firefox. Is there some security setting in either of those browsers that determines whether they ignore "ALLOW-FROM"?
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2101
Location: Sun Diego, USA

PostPosted: Sat 20 May '17 3:40    Post subject: Reply with quote

No, it's a WONTFIX on Chrome because of as I said, use content-security-policy. You should be using both as X-FRAME-OPTIONS never really got past a draft stage and is being phased out. Looks like latest FireFox no longer accepts it if she is correct.
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1