'Allowing my site to be embedded on a iFrame
My Nginx server sets the X-Frame header to DENY, this is so far good. But now I need to allow just one page of my site to be embedded on an iframe outside of my domain.
I tried to solve this on the application level using php inside the controller that serves the web page:
header('X-Frame-Options: ALLOW-FROM 127.0.0.1');
But the response when i tried to embed the page on an external iframe was:
X-Frame-Options:ALLOW-FROM 127.0.0.1
X-Frame-Options:DENY
So is concatenating the options (the one set of the nginx config with the one set on the app code)? So, how can i allow a single page of my server to be embedded on an external iframe?
Solution 1:[1]
Why not write a simple if else statement? If PHP detects a certain page (URL), allow to be embedded in an iFrame else do not allow to be embedded in an iFrame.
Solution 2:[2]
In the case of Django we solved it like this
location /the/page/you/want/to/expose/ {
add_header Access-Control-Allow-Origin *;
include uwsgi_params;
uwsgi_pass unix:/run/uwsgi/app/appsco/socket;
}
location / {
add_header X-Frame-Options DENY; #This is your catch all.
include uwsgi_params;
uwsgi_pass unix:/run/uwsgi/app/appsco/socket;
}
Remember to remove the add_header to the whole server. Put it in your catch all. For Django users @frame_deny_exempt take a look at http://django-secure.readthedocs.org/en/latest/middleware.html
Solution 3:[3]
I think you need to remove the X-Frame-Options:DENY, explicitly stating an allow seems to block everything else by default. I've only tested this with a URL rather than an IP address, but an x-frame from https://example.com was blocked while test.mysite-b.com could embed test.mysite-b.com and a virtual host using the same config mysite-b.com was also blocked from embedding test.mysite-b.com.
add_header X-Frame-Options "ALLOW-FROM http://test.mysite-b.com";
This allows test.mysite-b.com to embed any site using this config, including itself. Other sites are still denied and cannot embed test.mysite-b.com, or other URLs.
For reference, this is my entire SSL config:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP$
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 37.235.1.174 37.235.1.177 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
add_header X-Frame-Options "ALLOW-FROM http://test.mysite-b.com";
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
A potential issue I can think your list of allowed URLs are accessible, so if you're expecting them to be hidden for some reason... they won't be.
Load denied by X-Frame-Options: https://test.mysite-b.com/ does not permit framing by https://mysite-b.com/iframe.html.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Giancarlo Colfer |
| Solution 2 | ikks |
| Solution 3 |