Probably you should drop using X-Frame-Options in favour of the more compatible and up to date "Access-Control-Allow-Origin" header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin And for extra fine grained permissions then CSP (although keeping an eye on browser compatibility for the different parameters is advised): https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy El lun., 12 oct. 2020 a las 23:31, Herb Burnswell (<herbert.burnswell@xxxxxxxxx>) escribió: > > Hi, > > I have been using the following successfully in HTTPD config for some time: > > Header always set X-Frame-Options SAMEORIGIN > > The SAMEORIGIN is required for our use but now I am getting a request to allow X-Frame-Options to include specific URL's, say: > > https://example1.com > https://example2.com > > In researching a bit, I found this suggesting this format: > > Header always set X-Frame-Options SAMEORIGIN > Header always append X-Frame-Options "ALLOW-FROM https://example1.com/"; > Header always append X-Frame-Options "ALLOW-FROM https://example2.com/"; > > However, when I tested it the response is: > > example.com refused to connect > > Is this the proper way to set up this need (SAMEORIGIN and multiple URL allows)? Are there any concerns with this type of configuration? > > Any guidance is appreciated. > > TIA, > > HB -- Daniel -- Daniel Ferradal HTTPD Project #httpd help at Freenode --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|