X-Frame-Options ALLOW-FROM not working if don't use www

Question

Angular 7, IIS 7, C# .NET Core, FireFox

For my site: https://www.example.com, x-frames fail if the user uses https://example.com (note the absence of www)

The header I am building is: Headers.Add("X-frame-options", "ALLOW FROM https://www.example.com,https://example.com");

I've tried numerous iterations of this, and no matter what I try, I can't get it to work for both: https://www.example.com https://example.com

Answer 1

See the specification:

Wildcards or lists to declare multiple domains in one ALLOW-FROM statement are not permitted

and Usage Design Pattern and Example Scenario for the ALLOW-FROM Parameter

1. A page that wants to render the requested content in a frame supplies its own origin information to the server providing the content to be framed via a query string parameter.

e.g. using a query string on the URL.

2. The server verifies that the hostname meets its criteria, so that the page is allowed to be framed by the target resource. This may, for example, happen via a lookup of a whitelist of trusted domain names that are allowed to frame the page. For example, for a Facebook "Like" button, the server can check to see that the supplied hostname matches the hostname(s) expected for that "Like" button.

3. The server returns the hostname in "X-Frame-Options: ALLOW-FROM" if the proper criteria was met in step #2.

4. The browser enforces the "X-Frame-Options: ALLOW-FROM" header.

---

Note that X-Frame-Options is superseded by Content Security Policy (CSP) where the frame ancestors directive does allow you to provide a list.

---

That said, it doesn't really make sense to host the same website on www.example.com and example.com. Pick one of them to be canonical and issue a 301 redirect from the other to it.

Then you only need to allow the canonical one in X-Frame-Options.