Apache :: Cross Domain iFrame Access Issue

Divya · Joined: 12 Jan 2016 Posts: 4 Location: USA

Apache Version : Server version: Apache/2.2.15 (Unix)
OS : uname -a
Linux rciindvwebd101 2.6.32-642.4.2.el6.x86_64 #1 SMP Tue Aug 23 10:42:14 PDT 2016 x86_64 x86_64 x86_64 GNU/Linux

Getting the following error when trying to embed an iframe on a cross domain
Uncaught DOMException: Blocked a frame with origin "https://***********" from accessing a cross-origin frame.

Following implemented in httpd.conf with no help
eader set X-Frame-Options ALLOW-FROM="https://****************"

Thanks,
Divya

glsmith

Edit: I was incorrect

glsmith

I wasn't completely wrong, I knew the = did not belong.

Try

Divya · Joined: 12 Jan 2016 Posts: 4 Location: USA

I did initially do "Header set X-Frame-Options "ALLOW-FROM https://www.zyx.xyz" ,it threw an error
error: envclause should be in the form env=envar
and it worked when I have set an equals and infact later I found somebody posted it as well the same way
1) if specified in the form above, for example
Header always append X-Frame-Options ALLOW-FROM http://www.example.com
, Apache service won't start complaining about incorrect syntax of this command. The only way it worked is when I wrote it this way
Header always append X-Frame-Options ALLOW-FROM=http://www.example.com
. Why doesn't any guide mention there should be the equals sign? It also doesn't seem like standard syntax in httpd.conf

glsmith

Are your sure that is what you had, quoted like that.

With no quotes;
Header set X-Frame-Options ALLOW-FROM https://www.zyx.xyz
with incorrect quotes
Header set X-Frame-Options ALLOW-FROM "https://www.zyx.xyz"

These will cause an error just as you had.
Syntax error on line 202 of D:/Apache22/conf/httpd.conf
error: envclause should be in the form env=envar
it's seeing the 4th value (https://www.zyx.xyz) where it is expecting env=SOMEVAR

ALLOW-FROM https://www.zyx.xyz
is the entire single value and must be quoted because of the space.

Header set X-Frame-Options "ALLOW-FROM https://www.zyx.xyz"

This works in the 4 Apache versions I tried.

HTTP/1.1 200 OK
Date: Fri, 14 Apr 2017 20:58:46 GMT
Server: Apache/2.2.16 (Win32)
Last-Modified: Sat, 20 Nov 2004 22:16:26 GMT
Etag: "200000001cf13-2c-3e957f9698280"
Accept-Ranges: bytes
Content-Length: 44
X-Frame-Options: ALLOW-FROM https://www.zyx.xyz
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

HTTP/1.1 200 OK
Date: Fri, 14 Apr 2017 22:20:35 GMT
Server: Apache/2.0.35 (Win32)
Last-Modified: Wed, 03 Jul 1996 09:18:16 GMT
Etag: "0-916-2c626600"
Accept-Ranges: bytes
Content-Length: 2326
X-Frame-Options: ALLOW-FROM https://www.zyx.xyz
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: image/gif

HTTP/1.1 200 OK
Date: Fri, 14 Apr 2017 21:12:14 GMT
Server: Apache/1.3.17 (Win32)
X-Frame-Options: ALLOW-FROM https://www.zyx.xyz
Last-Modified: Wed, 03 Jul 1996 09:18:16 GMT
Etag: "0-916-31da3ad8"
Accept-Ranges: bytes
Content-Length: 2326
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: image/gif

HTTP/1.1 200 OK
Date: Fri, 14 Apr 2017 21:16:39 GMT
Server: Apache/2.4.26-dev (Win64)
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Accept-Ranges: bytes
X-Frame-Options: ALLOW-FROM https://www.zyx.xyz
Keep-Alive: timeout=5, max=100
Transfer-Encoding: chunked
Content-Type: text/html