How do you do this?
On example.com, I need to have it so an iFrame of example.com can load at subdomain.example.co.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
So it looks like the only two options are:
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
And the one I would have wanted
ALLOW-FROM uri
Is deprecated according to the linked MDN.
Then there's frame-source
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents that may embed a page using , , , , or .
Setting this directive to 'none' is similar to X-Frame-Options: deny (which is also supported in older browsers).
what does "valid parents" mean? Where specifically do I set this? It doesn't say what file on the server you need to change.
So if I say
Content-Security-Policy: frame-ancestors subdomain.example.co;
That will work? And if so, where on the server config do I do that?
1 Answer 1
frame-ancestors can only be set when Content-Security-Policy is set as a response header. It might be controlled in a .htaccess file, but it may also be set in other types of configuration, code, webserver or proxy, depending on your setup.
"Valid parents" would be the hosts that are allowed to frame your page. It could be multiple different pages and all the hosts in a chain of framing.
You can use X-Frame-Options ALLOW-FROM for IE when you also set frame-ancestors as frame-ancestors will cause the browser to ignore X-Frame-Options for most other browsers. If you set the value in code you can insert a value from a list of acceptable framers when the referrer matches.