Reputation: 294
X-Frame-Options with intranet site
I'm building a web application on Apache. To prevent "click-jacking", it's been suggested that:
Most modern Web browsers support the X-Frame-Options HTTP header, ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY).
However, I need to allow frames from one site. That's typically done (in .htaccess) like this:
Header set X-Frame-Options ALLOW-FROM https://www.that-site.com
However (again), the site that I need to allow from is my local Sharepoint site (that we access via http://sharepoint/SitePages/Home.aspx). I tried a few different things, but they all bring down the site except SAMEORIGIN, which disallows the frames I need. There's a possibility that the settings are already in the php.ini, but I'm not granted access to that and I can't really bother my IT staff with such a problem this week.
Help?!
Upvotes: 2
Views: 1716
Answers (1)
Reputation: 5957
For your information the ALLOW-FROM option is only supported by Mozilla browser.
Upvotes: 1
Related Questions
- How to set X-Frame-Options Header in wordpress Site
- X-Frame-Options on Apache
- Set x-frame-options to allow and disallow certain URLs to frame a page
- How to add "X-Frame-Options" header in .htaccess file to protect against 'ClickJacking' attacks
- How to set X-Frame-Options?
- X-Frame-Options ALLOW-FROM not working if don't use www
- Web vulnerabilities
- Content Security Policy, X-Frame-Options, and localhost
- how to display another site in an iframe in spite of X-Frame-Options
- Clickjacking protection using 'X-Frame-Options'?