Problem :
I am trying to setup my vHost to allow iframes from only one subdomain of our network. Before we had:
add_header X-Frame-Options "SAMEORIGIN"; on all our pages.
To accomplish what I want to do I tried:
add_header X-Frame-Options https://somewebsite.com;
This ends up allowing iframes as wanted but it allows them from every domain not just from https://somewebsite.com.
How can I deny iframes from all external pages but allow them from one subdomain?
Side info:
both sites run on the same machine.
Solution :
The RFC for the X-Frame-Options header states that valid options for the header are:
DENYSAMEORIGINALLOW-FROM <uri>
So, first off you need to add ALLOW-FROM then specify the URI of your subdomain. Something like this:
ALLOW-FROM https://subdomain.example.com/