Thursday, September 28, 2017

Include multiple domains in ALLOW-FROM for X-Frame-Options (Apache)

Every single forum, blog post, and documentation online will tell you the same thing... that it's not possible to whitelist multiple domains with X-Frame-Options and to use Content-Security-Policy instead or some complicated and messy JavaScript as alternatives.

I'm here to tell you that they're all wrong.

Here is a snippet of my httpd.conf file:
# For obvious security reasonsHeader set X-Frame-Options SAMEORIGIN 
<Location /myapp>  # For the context /myapp, whitelist multiple domains  Header append X-Frame-Options "ALLOW-FROM"  Header append X-Frame-Options "ALLOW-FROM"</Location>

If you open up Developer Tools (F12) in IE 11, you can confirm that the header will show the following:

Applicable Versions
  • Apache



Stefan said...

I am sorry to say but the modification of the header this way doesn't solve the problem. You can of course add multiple domains to this header but most modern browsers tell you that it is misconfigured. IE does only recognize the first domain.

So there still is no solution.

Ahmed Aboulnaga said...

Thanks for the feedback.

I can only confirm that this worked for us using a hardened version of IE 11 (which is the only browser the client supports). No other browsers were tested.

Anonymous said...

Custom version of IE not available to the rest of the world doesn't really make the other posts wrong. They are right. The only reason it works here is because of a version of IE no one else is using. The version that comes with Windows will only acknowledge the first value.