To help prevent against click-jacking, I had applied the following to my Apache 2.2 configuration based on the suggestions described in OWASP’s Clickjacking Defense Cheat Sheet and Mozilla Developer Network’s The X-Frame-Options response header:
Header always append X-Frame-Options SAMEORIGIN
However, my site has certain pages that are included in an iframe on another site, for the purpose of displaying content on digital signage devices. After I added that header, those pages would no longer load in an iframe on the digital signage devices’ browsers.
I thought I might be able to change SAMEORIGIN to ALLOW-FROM and list both the URI of my site and the URI of the digital signage page. However, the HTTP Header Field X-Frame-Options RFC indicates:
Wildcards or lists to declare multiple domains in one ALLOW-FROM statement are not permitted
The pages I wanted to exempt from the X-Frame-Options restriction exist in their own directory, /digitalsignage, so I tried to override the X-Frame-Options header in a .htaccess file:
Header always append X-Frame-Options ALLOW-ACCESS http://example.com
That caused a 500 Server Error. This message appeared in the error logs:
.htaccess: error: envclause should be in the form env=envar
The Header directive must be malformed, but I’m am not sure how. I did not determine how to properly format the statement so as not to produce that error, although several sites have pointed out that some browsers (Chrome, Safari) do not support ALLOW-ACCESS.
I changed the .htaccess file back to SAMEORIGIN, to match what was in the main site configuration:
Header always append X-Frame-Options SAMEORIGIN
I then noted that the response header sent by the server included SAMEORIGIN twice:
Header: SAMEORIGIN, SAMEORIGIN
That’s the expected behavior when using append. It appeared only once after I changed append to set:
Header always set X-Frame-Options SAMEORIGIN
I tried using set instead of append with ALLOW-ACCESS:
Header always set X-Frame-Options ALLOW-ACCESS http://example.com
But it still produced the same 500 Server Error.
After reading the documentation for Apache’s mod_headers, I realized that unset would allow me to remove the X-Frame-Options header from the /digitalsignage directory:
Header always unset X-Frame-Options
That worked, and the pages were successfully included as iframes in a page on the digital signage company’s site.
Hi,
How can we use the “unset” option to nullify the X-FRAME options for 2 sites.
@Vikas, to clarify, I think you are asking how to use the X-Frame-Options header to allow 2 sites to embed your site within a frame or iframe, but no other sites.
If that is what you are trying to do, I have bad news: that’s not possible. In my case, I used the unset keyword to allow any site to embed files in a specific directory in a frame or iframe. The options with X-Frame-Options seem to be to allow all sites (but not setting or removing the header), to disallow all sites (DENY), to all only the hosting site (SAMEORIGIN), or to allow one single external site (ALLOW-FROM).
However, there are other changes you could make to your Apache configuration to conditionally add/change/remove the X-Frame-Options header. One idea would be to use SetEnvIf to check the Referer request header value and set the response header accordingly.
Hi
I’ve got the same problem, but I don’t know how you did just to apply ‘Header always unset X-Frame-Options’ to only one directory, please can you post an example?
@Ruben here’s a simplified example from an httpd.conf file or an apache.conf file:
<VirtualHost 127.0.0.1:80> ServerName example.com Header always set X-Frame-Options SAMEORIGIN <Directory /example.com/docroot/frameme> Header always unset X-Frame-Options </Directory> </VirtualHost>Now example.com is protected from being embedded in a frame, with the exception of example.com/frameme.
If you do not have access to your httpd.conf or apache.conf file, you can create a .htaccess file in the directory you want to exempt (/example.com/docroot/frameme in this example) and include the following line in the file:
Header always unset X-Frame-OptionsHeader set X-Frame-Options "ALLOW-FROM http://xxxxxx"hello,
i added
# Extra Security HeadersHeader set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
in .hthacces but does not work. any idea please. thank you.
thank you!
My Apache install doesn’t seem to like the “always” part. It worked for me to override the apache config with an .htaccess file in the target directory as described, only without “always”….
Header unset X-Frame-OptionsHope that helps someone.
@JK, Thank you! Only omitting “always” worked for me too.
hello,
i m looking for how to set the X-Frame-Options to allow any subdomain such as ALLOW-FROM http://*.test.com
thanks for your help all
“allow-from” is obsolete and doesn’t work on most browsers anymore (sadly). Don’t use it, it won’t work.