Reputation: 2272
Can I apply X-Frame-Options header and people still use <iframe> with my website
I want to add this header to my nginx server
add_header X-Frame-Options "SAMEORIGIN";
However I want people to still be able to use an <iframe> that refers to my website.
Like youtube provides an embeded url for video, I do the same for a particular part of my website.
is "SAMEORIGIN" is the right value? or is X-Frame-Options header is in conflict with the functionality I'm trying to acheive?
Upvotes: 0
Views: 3055
Answers (1)
Reputation: 1840
There are three possible directives for X-Frame-Options:
X-Frame-Options: denypage cannot be displayed in a frameX-Frame-Options: sameoriginpage can only be displayed in a frame on the same origin as the page itself (same domain)X-Frame-Options: allow-from https://example.com/page can only be displayed in a frame on the specified origin
If you set it at sameorigin when hosts(people) try to load your site in an <iframe> then the browser give you an error. Try this and open your dev console:
<iframe src="https://www.google.com"/>So in short sameorigin of course is the wrong choice if you want your site to be loaded into an <iframe> by other people(domains). Try reading this if you want to get what you are looking for:
Overcoming "Display forbidden by X-Frame-Options"
Upvotes: 3
Related Questions
- How can I set 'X-Frame-Options' on an iframe?
- How to set X-Frame-Options Header in wordpress Site
- How would set a response header X-Frame-Options?
- I need to remove or ignore the X-Frame-Options header. Should I use a proxy?
- Modify headers x-frame-options in .htaccess
- How to suppress X-Frame-Options SAMEORIGIN response header?
- Ignore X-frame-header using javascript
- X-Frame-Options and frames
- What's the point of the X-Frame-Options header?
- How useful is the X-Frame-Options header in protecting against malicious framing?