user1268130
user1268130

Reputation: 923

X-Frame-Options to support different subdomain of same domain

I want to know whether it's possible to support X-Frame-Options for a different subdomain of same domain.

Upvotes: 17

Views: 23055

Answers (1)

Ortomala Lokni
Ortomala Lokni

Reputation: 62663

According to RFC 6454, two URLs have the same origin, if and only if, they have identical schemes (protocols), hostnames, and ports. So a domain and its subdomain have different origins.

With old browsers, it was possible to use an X-FRAME-OPTIONS HTTP header, such as:

X-Frame-Options: ALLOW-FROM <origin>

but this is no more supported by modern browsers. See X-Frame-Options HTTP header on caniuse.com.

With modern browsers, you can use either:

X-Frame-Options: DENY

to deny all framing, or:

X-Frame-Options: SAMEORIGIN

to allow framing from the same origin.

To allow framing from a different origin, you now have to use the frame-ancestors CSP directive such as:

Content-Security-Policy: frame-ancestors https://sub1.ex.com https://sub2.ex.com;

Note that if both a frame-ancestors CSP directive and a X-Frame-Options: DENY header is present, the CSP directive takes precedence, as defined in the HTML living standard.

Upvotes: 0

Related Questions