Hi,
I have been using the following successfully in HTTPD config for some time:
Header always set X-Frame-Options SAMEORIGIN
The SAMEORIGIN is required for our use but now I am getting a request to
allow X-Frame-Options to include specific URL's, say:
https://example1.com
https://example2.com
In researching a bit, I found this
<https://www.apachelounge.com/viewtopic.php?p=36356> suggesting this format:
Header always set X-Frame-Options SAMEORIGIN
Header always append X-Frame-Options "ALLOW-FROM https://example1.com/"
Header always append X-Frame-Options "ALLOW-FROM https://example2.com/"
However, when I tested it the response is:
example.com refused to connect
Is this the proper way to set up this need (SAMEORIGIN and multiple URL
allows)? Are there any concerns with this type of configuration?
Any guidance is appreciated.
TIA,
HB
I have been using the following successfully in HTTPD config for some time:
Header always set X-Frame-Options SAMEORIGIN
The SAMEORIGIN is required for our use but now I am getting a request to
allow X-Frame-Options to include specific URL's, say:
https://example1.com
https://example2.com
In researching a bit, I found this
<https://www.apachelounge.com/viewtopic.php?p=36356> suggesting this format:
Header always set X-Frame-Options SAMEORIGIN
Header always append X-Frame-Options "ALLOW-FROM https://example1.com/"
Header always append X-Frame-Options "ALLOW-FROM https://example2.com/"
However, when I tested it the response is:
example.com refused to connect
Is this the proper way to set up this need (SAMEORIGIN and multiple URL
allows)? Are there any concerns with this type of configuration?
Any guidance is appreciated.
TIA,
HB