Tuesday, 24 April 2018

Allow multiple domain in X-Frame-Options ALLOW-FROM

We can allow domain which can embed our web site domain in their iframe src using 'X-Frame-Options ALLOW-FROM uri'. More Details

Just by adding X-Frame-Options parameter in response header.

But, ALLOW-FROM uri parameter is not working with the chrome browser.
As it is not supported by chrome we can not get the benefits of using X-Frame-Options ALLOW-FROM parameter.
ALLOW-FROM is also not supporting multiple domain in its parameter value so, here is a alternative solution for that.

Add Header
X-Frame-Options SAMEORIGIN

And

Content-Security-Policy "frame-ancestors 'self' domain1 domain2 domain3"

More Detail about content-security-policy.com
Please take not that single quote around self is added otherwise is may not work properly.