Unable to allow on a specific site the embedding (iframe)!

vincen · February 9, 2023, 2:32pm

Hi

I have implemented in my general Apache config ban of all cross-options for websites and block any iframes and stuffs like that
Unhappy one of my customer needs it as he sells photo services ! I tried these directives in the virtual apache both SSL and non SSL of the customer account:

 Header set Access-Control-Allow-Origin "*"
 Header set X-Frame-Options: "ALLOW-FROM https://iframetester.com/"

Restarted Apache but it still sends that header:

HTTP/1.1 302 Found
Date: Thu, 09 Feb 2023 14:30:59 GMT
Server: Apache
Strict-Transport-Security: max-age=31052000; includeSubDomains
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Location: https://www.domainofmycustomer.fr/
Content-Length: 207
Connection: close
Content-Type: text/html; charset=iso-8859-1

General directives are not overridden by ones in virtual server ??

Thanks

Vincèn

tpnsolutions · February 10, 2023, 1:30am

@vincen,

Unless you messed up permission wise, you should be able to set these via an “.htaccess” file on a per site basis.

<IfModule mod_header.c>
your code here...
</IfModule>

vincen · February 10, 2023, 7:09am

Why would it work in .htaccess if it’s not working in config file of Apache ? For me Apache config file is supposed to be more efficient and best way to do it no ?

cyberndt · February 10, 2023, 6:05pm

I believe the directive for X-Frame-Options has been changed.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

There are two possible directives for X-Frame-Options :

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN

system · April 11, 2023, 6:05pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.