Change the X-Frame-Options to allow all domains

Asked 8/6, 2017 at 13:8 Answered 18/1, 2023 at 1:29

Solved linux ubuntu nginx cors x-frame-options

I am trying to use some site of mine as an iframe from a different site of mine.

My problem is- the other site is always consistently changes his IP address and does not have an domain name.

So, I read that you can allo a specific domain by adding this lint to the /etc/nginx/nginx.conf:

 add_header X-Frame-Options "ALLOW-FROM https://subdomain.example.com/";

My question is: It is possible to allow my site to be imported as an iframe from all IP addressed and domains? What should I write in order to achieve this?

I am using Ubuntu 16.04 and nginx 1.10.0.

Foam answered 8/6, 2017 at 13:8 Comment(0)

If you set it, then you can only set it to DENY, SAMEORIGIN, or ALLOW-FROM (a specific origin).

Allowing all domains is the default. Don't set the X-Frame-Options header at all if you want that.

Note that the successor to X-Frame-Options — CSP's frame-ancestors directive — accepts a list of allowed origins so you can easily allow some origins instead of none, one or all.

Larch answered 8/6, 2017 at 13:14 Comment(0)

ALLOWALL is the default value.

Sometimes frameworks MVC such as Rails, Laravel, Django and so on, set a X_FRAME_OPTIONS to SAMEORIGIN so someone might need to reset it to the origin ALLOWALL value.

Calhoun answered 13/6, 2018 at 15:17 Comment(3)

ALLOWALL is not an accepted value: developer.mozilla.org/en-US/docs/Web/HTTP/Headers/… – Clubhouse 11/11, 2019 at 9:56

As noted, ALLOWALL is not a valid directive to the X-Frame-Options header. Invalid values (as with any invalid header) should simply be ignored by the browser - which is what would happen here - this is the "default value" (no header - allow all access). It would be better to simply delete the header if this is the desired result. – Led 28/11, 2020 at 1:13

Additional note, it seems today (2024-04-06) majority of big browser (I meant Firefox and Chrome) even block iframe if the header is "x-frame-options: ALLOWALL". – Electric 6/4 at 10:3

What ended working for me was ALLOW-FROM *.

I was using ALLOWALL, but as mentioned above, that is no longer a valid option, also we were getting flagged by our PCI scan because of the deprecated value usage. As Francesco Meli mentioned, Rails was defaulting to ALLOWALL, but changing it to ALLOW-FROM * did the trick!

Uncommitted answered 18/1, 2023 at 1:29 Comment(1)

This is an invalid value, which probably just "tricks" the browsers into ignoring the header, but that's vendor-specific behavior that could change at any time. According to the spec the only valid options are "DENY" and "SAMEORIGIN". The accepted answer says it best: "Allowing all domains is the default. Don't set the X-Frame-Options header at all if you want that." – Desertion 21/6 at 15:40

-2

Well you can check the ip address of the remote host from the server. You can then send a X-Frame-Options response HTTP header with the value: "Allow-From ip-address", where ip address is the remote ip address that is trying to embed content on your server. This will allow your website to be embedded by all websites that are accessed using an ip address from the browser.

Another option is to embed the content in iframe and include the domain name in the iframe source url. The domain name parameter can be read by the server and included in the X-Frame-Options response header.

Flatter answered 25/9, 2019 at 12:53 Comment(0)

Recommended topics

Hot tags