Reputation: 923
X-Frame-Options to support different subdomain of same domain
I want to know whether it's possible to support X-Frame-Options for a different subdomain of same domain.
Upvotes: 17
Views: 23055
Answers (1)
Reputation: 62663
According to RFC 6454, two URLs have the same origin, if and only if, they have identical schemes (protocols), hostnames, and ports. So a domain and its subdomain have different origins.
With old browsers, it was possible to use an X-FRAME-OPTIONS HTTP header, such as:
X-Frame-Options: ALLOW-FROM <origin>
but this is no more supported by modern browsers. See X-Frame-Options HTTP header on caniuse.com.
With modern browsers, you can use either:
X-Frame-Options: DENY
to deny all framing, or:
X-Frame-Options: SAMEORIGIN
to allow framing from the same origin.
To allow framing from a different origin, you now have to use the frame-ancestors CSP directive such as:
Content-Security-Policy: frame-ancestors https://sub1.ex.com https://sub2.ex.com;
Note that if both a frame-ancestors CSP directive and a X-Frame-Options: DENY header is present, the CSP directive takes precedence, as defined in the HTML living standard.
Upvotes: 0
Related Questions
- Apache X-Frame-Options Allow-From multiple domains
- How to set X-Frame Options to ALLOW-FROM https://example.com and SAMEORIGIN on server
- get error when set X-FRAME-OPTIONS in Apache HTTP Server 2.2
- Adding multiple domain/URL in Header set X-Frame-Options "ALLOW-FROM "
- Why following proxy does not bypass X-Frame-Options header?
- X-FRAME-OPTIONS allow-from a top-level domain, and all subsequent sub-domains
- How to "allow-from" more than one domain for "X-Frame-Options" in Rails 4 controller?
- X-Frame-Options and frames
- how to display another site in an iframe in spite of X-Frame-Options
- X-Domain Cookies in iFrames