Login/Register
X-Frame-Options to support different subdomain of same domain [duplicate]
Asked Answered
javaapacheiframehttp-headers
P

1

17

I want to know whether it's possible to support X-Frame-Options for a different subdomain of same domain.

Pouliot answered 17/6, 2015 at 14:30 Comment(3)
i have answered with other people to a question like yours it [stackoverflow here][1] [1]: #6666923Rump
Does this answer your question? Overcoming "Display forbidden by X-Frame-Options"Villus
@ArthurTsidkilov this is a different question. The question you linked asks about framing other sites. This question is about whether a mismatch only in subdomain will be allowed by x-frame-options (I'm assuming by using "X-Frame-Options: sameorigin")Killdeer
O
0

According to RFC 6454, two URLs have the same origin, if and only if, they have identical schemes (protocols), hostnames, and ports. So a domain and its subdomain have different origins.

With old browsers, it was possible to use an X-FRAME-OPTIONS HTTP header, such as:

X-Frame-Options: ALLOW-FROM <origin>

but this is no more supported by modern browsers. See X-Frame-Options HTTP header on caniuse.com.

With modern browsers, you can use either:

X-Frame-Options: DENY

to deny all framing, or:

X-Frame-Options: SAMEORIGIN

to allow framing from the same origin.

To allow framing from a different origin, you now have to use the frame-ancestors CSP directive such as:

Content-Security-Policy: frame-ancestors https://sub1.ex.com https://sub2.ex.com;

Note that if both a frame-ancestors CSP directive and a X-Frame-Options: DENY header is present, the CSP directive takes precedence, as defined in the HTML living standard.

Orient answered 19/1 at 20:32 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.