X-Frame-Options: ALLOW-FROM HTTP and HTTPS

Question

With "X-Frame-Options: ALLOW-FROM" how can i allow one domain but with http and https requests?

I have the header below but the client also server the site in http://www.example.com.

X-Frame-Options: ALLOW-FROM https://www.example.com

Answer 1

Seems like there's no option for allowing both HTTP and HTTPS schemes within the same ALLOW-FROM header. Quoting from the spec.

As the "ALLOW-FROM" field only supports one serialized-origin, in
cases when the server wishes to allow more than one resource to frame its content, the following design pattern can fulfill that need:

1. A page that wants to render the requested content in a frame supplies its own origin information to the server providing the content to be framed via a query string parameter.

2. The server verifies that the hostname meets its criteria, so that the page is allowed to be framed by the target resource. This may, for example, happen via a lookup of a whitelist of trusted domain names that are allowed to frame the page. For example, for a Facebook "Like" button, the server can check to see that the supplied hostname matches the hostname(s) expected for that "Like" button.

3. The server returns the hostname in "X-Frame-Options: ALLOW-FROM" if the proper criteria was met in step #2.

4. The browser enforces the "X-Frame-Options: ALLOW-FROM" header.