How to set X-Frame-Options Allow-From in nginx correctly

nginx cross-domain content-security-policy x-frame-options
Vadimo picture Vadimo · Jun 9, 2015 · Viewed 40.1k times · Source

Im trying to set the ALLOWED-FROM in Nginx but all settings I tried so far resulted in the following Chrome error: Invalid 'X-Frame-Options' header encountered when loading 'https://domain.com/#/register': 'ALLOW-FROM domain.com' is not a recognized directive. The header will be ignored.

This options I tried are those: (tried also with FQDN with https:// prefix)

  add_header X-Frame-Options "Allow-From domain.com"; 
  add_header X-Frame-Options "ALLOW-FROM domain.com"; 
  add_header X-Frame-Options "ALLOW-FROM: domain.com";
  add_header X-Frame-Options "Allow-From: domain.com";
  add_header X-Frame-Options ALLOW-FROM "domain.com";
  add_header X-Frame-Options ALLOW-FROM domain.com;

Answer

Ezequiel Bertti picture Ezequiel Bertti · May 13, 2016

in Chrome and Safari you need to use Content-Security-Policy

Content-Security-Policy: frame-ancestors domain.com

You can check more details on this site:

https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives

Related questions

POST request not allowed - 405 Not Allowed - nginx, even with headers included

I have a problem in trying to do a POST request in my application and I searched a lot, but I did not find the solution. So, I have a nodeJS application and a website, and I am trying to …

Read More
From inside of a Docker container, how do I connect to the localhost of the machine?

So I have a Nginx running inside a docker container, I have a mysql running on localhost, I want to connect to the MySql from within my Nginx. The MySql is running on localhost and not exposing a port to …

Read More
NGinx Default public www location?

I have worked with Apache before, so I am aware that the default public web root is typically /var/www/. I recently started working with nginx, but I can't seem to find the default public web root. Where can I …

Read More