X-Frame-Options on apache

apache cross-browser x-frame-options clickjacking

user1619397 · Jun 13, 2013 · Viewed 156.9k times · Source

I am trying to allow some particular domain to access my site via iframe

Header set X-Frame-Options ALLOW-FROM https://www.that-site.com

I know this could be done by add the line above to the config of Apache server.

Two questions here.

1) which config file should be added to? The apache running on both Unix and windows, if not the same file

2) while enable the all-from, I still want to be able to run some iframe from my own domain. Can I just add the following line after the allow-from?

 Header set X-Frame-Options SAMEORIGIN

Or I should just add my own domain in the all-from, ie

 Header set X-Frame-Options ALLOW-FROM https://www.that-site.com, http://www.my-own-domain.com

Really need to get this solved out. Thanks in advance

Answer

Allow from URI is not supported by all browsers. Reference: X-Frame-Options on MDN