Change the X-Frame-Options to allow all domains

Yuval Pruss picture Yuval Pruss · Jun 8, 2017 · Viewed 54.6k times · Source

I am trying to use some site of mine as an iframe from a different site of mine.

My problem is- the other site is always consistently changes his IP address and does not have an domain name.

So, I read that you can allo a specific domain by adding this lint to the /etc/nginx/nginx.conf:

 add_header X-Frame-Options "ALLOW-FROM https://subdomain.example.com/";

My question is: It is possible to allow my site to be imported as an iframe from all IP addressed and domains? What should I write in order to achieve this?

I am using Ubuntu 16.04 and nginx 1.10.0.

Answer

Quentin picture Quentin · Jun 8, 2017

If you set it, then you can only set it to DENY, SAMEORIGIN, or ALLOW-FROM (a specific origin).

Allowing all domains is the default. Don't set the X-Frame-Options header at all if you want that.

Note that the successor to X-Frame-OptionsCSP's frame-ancestors directive — accepts a list of allowed origins so you can easily allow some origins instead of none, one or all.