0

In httpd.conf (Unix / Mac OS Sierra) I've got "Header set X-Frame-Options SAMEORIGIN"

I'd like to override that for a specific directory to X-Frame-Options ALLOW-FROM SpecificDomain.com

Goal is to allow iframe acess to that directory but no others.

I tried adding the ALLOW-FROM line to an .htaccess file in the target directory but no luck. iFrame is denied, browser console saying "X-Frame-Options" are set to "SAMEORIGIN"

Cœur
  • 37,241
  • 25
  • 195
  • 267
WhatsYourFunction
  • 621
  • 1
  • 9
  • 25

1 Answers1

0

There are compatibility issues with some browsers with the Allow-From parameter for X-Frame-Options response header, chances are you are dealing with a browser which does not support it.

Ideally try this command to see the headers output and make sure the setting you made is being used:

curl -I http://yourserver.example.com/exceptionpath/

If it is, instead of setting that other header you may also want to unset that header in that directory to avoid compatibility issues with that parameter:

Header unset X-Frame-Options

or if the above is not being applied:

Header always unset X-Frame-Options


Sidenote: If you are the admin of the site you don't need to use .htaccess if you have access to main configuration files, set in the appropiate Directory entry instead. Disable .htaccess files altogether with AllowOverride none. Configurations will be simpler and you will gain a bit of performance by not forcing httpd to constantly read that file several times with each hit.

Daniel Ferradal
  • 2,727
  • 1
  • 13
  • 19
  • Thanks for your followup and the Sidenote. Much appreciated. In .htaccess tried both your suggestions `Header unset X-Frame-Options` and `Header always unset X-Frame-Options` No luck. – WhatsYourFunction Jul 05 '17 at 21:56
  • Here's what returned from _`curl -I http://myserver.etc/targetDirectory`_ `HTTP/1.1 301 Moved Permanently Date: Wed, 05 Jul 2017 15:30:00 GMT Server: Apache/2.4.25 (Unix) LibreSSL/2.2.7 Location: http://myserver.etc/targetDirectory/ Content-Type: text/html; charset=iso-8859-1` – WhatsYourFunction Jul 05 '17 at 22:03
  • I do have control over the server. Earlier I'd tried dealing with this in http.conf (Commenting out the existing SAMEORIGIN line, replacing with an ALLOW-FROM) `# Header set X-Frame-Options SAMEORIGIN Header set X-Frame-Options ALLOW-FROM http://myserver.etc/targetFolder/` For whatever reason this killed the Filemaker server it was running while at the same time not resolving the SAMEORIGIN issue for the non-FMS directory. Referting http.conf back fixed FMS. – WhatsYourFunction Jul 05 '17 at 22:03
  • Of course I can avoid all this trouble by switching to a server not under obligations to handle FMS, but was to pursuing this if only to understand better why this isn't going as hoped for. Remaining questions: - Is there another approach / different command in http.conf that could be used to target the specific folder allow iFraming to the target directory? - Performance issues aside, why would the commands in .htaccess not be sufficient to resolve the problem? thanks again – WhatsYourFunction Jul 05 '17 at 22:04
  • you should have followed the 302 and curl the url ending in trailing slash to see if you are not getting that header, but in the response from your curl there is no X-Frame-Options already. Also, always consider clearing the cache of your favourite browser because if curl does not show the header your other browsers should not see it either. Browsers cache generate much confusion with changing configurations. – Daniel Ferradal Jul 06 '17 at 06:36
  • Thanks ezra-s -- Following the 301 revealed the following additional response: `HTTP/1.1 200 OK Date: Fri, 07 Jul 2017 22:44:00 GMT Server: Apache/2.4.25 (Unix) LibreSSL/2.2.7 X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Content-Type: text/html; charset=utf-8` – WhatsYourFunction Jul 07 '17 at 22:45