always append x-frame-options doesn't work
my hoster has x-frame-options SAMEORIGIN in the apache2.conf file I added always append allow-from <site> in my .htacess file This works with internet explorer, but not with Firefox. The developer toolkit shows the options on the network tab correctly as: x-frame-options SAMEORIGIN, <site> The problem occurs e.g. on Joomla where the images on the media content are not shown. This seems a bug in Firefox. Right?
Gewysig op
All Replies (8)
Is that valid, combining SAMEORIGIN plus ALLOW-FROM a site other than the same origin??
I don't see a mention of that in the MDN documentation on this header: https://developer.mozilla.org/docs/Web/HTTP/Headers/X-Frame-Options
Are there any error or warning messages in the Browser Console related to the framing?
I don't think the Mozilla document should be leading here. The Apache documentation has to be leading? That documentation explains the 'always append' without restrictions. Firefox Developer Tools accepts it. So does Internet Explorer. I haven't been able to find something in the Apache documention about combining SAMEORIGIN and ALLOW-FROM. But that doesn't mean it's not there. BTW how else would you specify that all sites on your server can frame their own pages plus allow some sites to frame a specific foreign domain?
Is this what you are using ? https://stackoverflow.com/questions/38744953/apache-x-frame-options-allow-from-multiple-domains
Yes I am using that statement in my htaccess file. But with only one url. As stated before the SAMEORIGIN option is specified in the httpd.conf file
hankoster said
I don't think the Mozilla document should be leading here.
What do you think of the following statement, is it obsolete?
There are three different values for the header field. These values are mutually exclusive; that is, the header field MUST be set to exactly one of the three values.
https://tools.ietf.org/html/rfc7034#section-2.1 (RFC cited in the MDN article)
A page from nuenen.amnesty.nl is loading another page from nuenen.amnesty.nl
Network tab shows the option: X-Frame-Options SAMEORIGIN, Allow-From https://beheer.amnesty.nl/
Browser console reports: Load denied by X-Frame-Options: https://beheer.amnesty.nl/ does not permit framing by https://nuenen.amnesty.nl/administrator/index.php?option=com_media.
The error message is not reporting what really happens. This page does not frame something from beheer.amnesty.nl. That happens on another page and that works!
jscher2000 said
hankoster saidI don't think the Mozilla document should be leading here.What do you think of the following statement, is it obsolete?
There are three different values for the header field. These values are mutually exclusive; that is, the header field MUST be set to exactly one of the three values.https://tools.ietf.org/html/rfc7034#section-2.1 (RFC cited in the MDN article)
Good catch! So that means that Microsoft in all its wisdom is disobeying the RFC and is extending the rules by accepting this header in IE and Edge. And so is Apache that combines the two statements. Maybe I have to look at CSP for a solution of my problem?
I imagine on a Joomla forum they have a workaround. Perhaps setting the header in PHP with the desired host name, which I think would replace the default one set on the server.
CSP is more modern, but might not work in IE and Edge: https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors