| Author |
|
cetipabo
Joined: 17 Jan 2018
Posts: 5
Location: france
|
 Posted: Wed 17 Jan '18 13:55 Post subject: X-Frame-Options Allow-From multiple url |
 |
|
Hello,
i have a problem with the use of this security setting.
i'm hosting 2 websites with 2 different domain names with apache 2.4.29 on debian 8:
site1.com
site2.com
i want to allow the use of iframes from both sites.
in site1.conf i have :
Header always set X-Frame-Options "ALLOW-FROM http://site2.com http://www.site2.com https://site2.com https://www.site2.com"
Header always set Referrer-Policy "same-origin"
in site2.conf i have :
Header always set X-Frame-Options "ALLOW-FROM http://site1.com http://www.site1.com https://site1.com https://www.site1.com"
Header always set Referrer-Policy "same-origin"
unfortunately it doesn't work, it doesn't show the iframe with internet explorer 11...what am i doing wrong ? i can't find any example for X-Frame-Options with multiple uri...is my syntax correct ? do i have to add the http and the https ? and also the domain with or without the www ?
Thank you for your help.
Last edited by cetipabo on Wed 17 Jan '18 16:36; edited 1 time in total |
|
| Back to top |
|
admin
Site Admin
Joined: 15 Oct 2005
Posts: 696
|
| Posted: Wed 17 Jan '18 14:10 Post subject: |
|
|
Searching ApacheLounge with X-Frame-Options gives some hits.
Special www.apachelounge.com/viewtopic.php?t=7634
There glsmith states that chrome/safari/firefox ignores. |
|
| Back to top |
|
cetipabo
Joined: 17 Jan 2018
Posts: 5
Location: france
|
| Posted: Wed 17 Jan '18 14:30 Post subject: |
|
|
i already read this topic, that's how i found this forum 
but it doesn't answer the question...
i know this header is only working for internet explorer and not considered by chrome/firefox.
actualy i also tried with a list like that but It still does not work:
Header always set X-Frame-Options "ALLOW-FROM http://site1.com"
Header always set X-Frame-Options "ALLOW-FROM http://www.site1.com"
Header always set X-Frame-Options "ALLOW-FROM https://site1.com"
Header always set X-Frame-Options "ALLOW-FROM https://www.site1.com" |
|
| Back to top |
|
cetipabo
Joined: 17 Jan 2018
Posts: 5
Location: france
|
| Posted: Wed 17 Jan '18 15:07 Post subject: |
|
|
even the RFC about the design for ALLOW-FROM is not clear to me...
https://tools.ietf.org/html/rfc7034#page-8
| Quote: | | As the "ALLOW-FROM" field only supports one serialized-origin |
does it mean we can't add several urls in 1 line ?
| Quote: | 1. A page that wants to render the requested content in a frame
supplies its own origin information to the server providing the
content to be framed via a query string parameter. |
my iframe link is like this http://www.site2.com/folder/page.php?a=1&b=2 |
|
| Back to top |
|
cetipabo
Joined: 17 Jan 2018
Posts: 5
Location: france
|
| Posted: Wed 17 Jan '18 16:00 Post subject: |
|
|
well, according to what i read everywhere something is actually working as expected:
when i check the result with https://securityheaders.io i GET a "B" because it says :
| Quote: | X-Frame-Options: We couldn't detect a valid configuration. Expected values are "DENY", "SAMEORIGIN", "ALLOW-FROM (URL)" and "ALLOWALL".
|
looks like they don't know how to handle multiple uri too  |
|
| Back to top |
|
cetipabo
Joined: 17 Jan 2018
Posts: 5
Location: france
|
| Posted: Wed 17 Jan '18 16:33 Post subject: |
|
|
looks like using an ending / in the url is making it working:
works in IE11 and Firefox. Ignored in Chrome. and checking with https://securityheaders.io gives me a "A".
Now i'm confused, i don't know what is good and what is bad... |
|
| Back to top |
|
