Reputation: 1818
Add multiple domains in x-frame-options on header with Laravel
I would like to add multiple domains in X-Frame-Options, because I must authorize facebook and messenger.
I tried many things, for example...
I created a middleware :
<?php
namespace App\Http\Middleware;
use Closure;
class FrameHeadersMiddleware
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
$response = $next($request);
$response->header('X-Frame-Options', 'ALLOW FROM https://www.messenger.com/');
$response->header('X-Frame-Options', 'ALLOW FROM https://www.facebook.com/');
return $response;
}
}
But only facebook is added...
Edit : I use the http referer with this :
<?php
namespace App\Http\Middleware;
use Closure;
use Request;
class FrameHeadersMiddleware
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
$response = $next($request);
if(Request::server('HTTP_REFERER') === 'www.messenger.com'){
$response->header('X-Frame-Options', 'ALLOW FROM https://www.messenger.com/');
}
if(Request::server('HTTP_REFERER') === 'www.facebook.com'){
$response->header('X-Frame-Options', 'ALLOW FROM https://www.facebook.com/');
}
return $response;
}
}
Upvotes: 0
Views: 2729
Answers (1)
Reputation: 944293
You can't have multiple X-Frame-Options headers at the same time.
See the specification:
2.3.2.3. Usage Design Pattern and Example Scenario for the ALLOW-FROM Parameter
As the "ALLOW-FROM" field only supports one serialized-origin, in
cases when the server wishes to allow more than one resource to frame its content, the following design pattern can fulfill that need:
A page that wants to render the requested content in a frame supplies its own origin information to the server providing the content to be framed via a query string parameter.
The server verifies that the hostname meets its criteria, so that the page is allowed to be framed by the target resource. This may, for example, happen via a lookup of a whitelist of trusted domain names that are allowed to frame the page. For example, for a Facebook "Like" button, the server can check to see that the supplied hostname matches the hostname(s) expected for that "Like" button.
The server returns the hostname in "X-Frame-Options: ALLOW-FROM" if the proper criteria was met in step #2.
The browser enforces the "X-Frame-Options: ALLOW-FROM" header.
Upvotes: 1
Related Questions
- Laravel multiple domain origin CORS
- Laravel Not Adding Custom Headers
- php header multiple site header response 200 in laravel 8
- .htaccess X-Frame-Options header not set for some Laravel routes
- X-FRAME-OPTIONS is shown twice and X-XSS-PROTECTION is shown wrong
- Adding multiple domain/URL in Header set X-Frame-Options "ALLOW-FROM "
- How to "allow-from" more than one domain for "X-Frame-Options" in Rails 4 controller?
- Laravel 4 refuses to load iframe due to 'X-Frame-Options' to 'SAMEORIGIN'
- Override HTTP header's default settings (X-FRAME-OPTIONS)
- Setting headers in Laravel