We can allow domain which can embed our web site domain in their iframe src using 'X-Frame-Options ALLOW-FROM uri'. More Details
Just by adding X-Frame-Options parameter in response header.
But, ALLOW-FROM uri parameter is not working with the chrome browser.
As it is not supported by chrome we can not get the benefits of using X-Frame-Options ALLOW-FROM parameter.
ALLOW-FROM is also not supporting multiple domain in its parameter value so, here is a alternative solution for that.
As it is not supported by chrome we can not get the benefits of using X-Frame-Options ALLOW-FROM parameter.
ALLOW-FROM is also not supporting multiple domain in its parameter value so, here is a alternative solution for that.
Add Header
X-Frame-Options SAMEORIGIN
And
X-Frame-Options SAMEORIGIN
And
Content-Security-Policy "frame-ancestors 'self' domain1 domain2 domain3"
More Detail about content-security-policy.com
More Detail about content-security-policy.com
Please take not that single quote around self is added otherwise is may not work properly.
No comments:
Post a Comment