logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.




X-Frame-Options Allow-From multiple url

 
Post new topic   Reply to topic    Apache Forum Index -> Apache



View previous topic :: View next topic  
Author Message
cetipabo



Joined: 17 Jan 2018
Posts: 5
Location: france

PostPosted: Wed 17 Jan '18 13:55    Post subject: X-Frame-Options Allow-From multiple url Reply with quote

Hello,
i have a problem with the use of this security setting.

i'm hosting 2 websites with 2 different domain names with apache 2.4.29 on debian 8:
site1.com
site2.com

i want to allow the use of iframes from both sites.

in site1.conf i have :
Header always set X-Frame-Options "ALLOW-FROM http://site2.com http://www.site2.com https://site2.com https://www.site2.com"
Header always set Referrer-Policy "same-origin"

in site2.conf i have :
Header always set X-Frame-Options "ALLOW-FROM http://site1.com http://www.site1.com https://site1.com https://www.site1.com"
Header always set Referrer-Policy "same-origin"

unfortunately it doesn't work, it doesn't show the iframe with internet explorer 11...what am i doing wrong ? i can't find any example for X-Frame-Options with multiple uri...is my syntax correct ? do i have to add the http and the https ? and also the domain with or without the www ?

Thank you for your help.


Last edited by cetipabo on Wed 17 Jan '18 16:36; edited 1 time in total
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 561

PostPosted: Wed 17 Jan '18 14:10    Post subject: Reply with quote

Searching ApacheLounge with X-Frame-Options gives some hits.

Special www.apachelounge.com/viewtopic.php?t=7634

There glsmith states that chrome/safari/firefox ignores.
Back to top
cetipabo



Joined: 17 Jan 2018
Posts: 5
Location: france

PostPosted: Wed 17 Jan '18 14:30    Post subject: Reply with quote

i already read this topic, that's how i found this forum Very Happy
but it doesn't answer the question...

i know this header is only working for internet explorer and not considered by chrome/firefox.

actualy i also tried with a list like that but It still does not work:
Header always set X-Frame-Options "ALLOW-FROM http://site1.com"
Header always set X-Frame-Options "ALLOW-FROM http://www.site1.com"
Header always set X-Frame-Options "ALLOW-FROM https://site1.com"
Header always set X-Frame-Options "ALLOW-FROM https://www.site1.com"
Back to top
cetipabo



Joined: 17 Jan 2018
Posts: 5
Location: france

PostPosted: Wed 17 Jan '18 15:07    Post subject: Reply with quote

even the RFC about the design for ALLOW-FROM is not clear to me...
https://tools.ietf.org/html/rfc7034#page-8

Quote:
As the "ALLOW-FROM" field only supports one serialized-origin

does it mean we can't add several urls in 1 line ?

Quote:
1. A page that wants to render the requested content in a frame
supplies its own origin information to the server providing the
content to be framed via a query string parameter.

my iframe link is like this http://www.site2.com/folder/page.php?a=1&b=2
Back to top
cetipabo



Joined: 17 Jan 2018
Posts: 5
Location: france

PostPosted: Wed 17 Jan '18 16:00    Post subject: Reply with quote

well, according to what i read everywhere something is actually working as expected:

Quote:
Header set X-Frame-Options SAMEORIGIN
Header append X-Frame-Options "ALLOW-FROM http://www.site2.com/"
Header append X-Frame-Options "ALLOW-FROM http://site2.com/"
Header append X-Frame-Options "ALLOW-FROM https://www.site2.com/"
Header append X-Frame-Options "ALLOW-FROM https://site2.com/"


when i check the result with https://securityheaders.io i GET a "B" because it says :

Quote:
X-Frame-Options: We couldn't detect a valid configuration. Expected values are "DENY", "SAMEORIGIN", "ALLOW-FROM (URL)" and "ALLOWALL".

looks like they don't know how to handle multiple uri too Mr. Green
Back to top
cetipabo



Joined: 17 Jan 2018
Posts: 5
Location: france

PostPosted: Wed 17 Jan '18 16:33    Post subject: Reply with quote

looks like using an ending / in the url is making it working:

Quote:
Header always set X-Frame-Options "ALLOW-FROM http://site2.com/ http://www.site2.com/ https://site2.com/ https://www.site2.com/"


works in IE11 and Firefox. Ignored in Chrome. and checking with https://securityheaders.io gives me a "A".

Now i'm confused, i don't know what is good and what is bad...
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1