I am trying to setup my vHost to allow iframes from only one subdomain of our network. Before we had:
add_header X-Frame-Options "SAMEORIGIN"; on all our pages.
To accomplish what I want to do I tried:
add_header X-Frame-Options https://somewebsite.com;
This ends up allowing iframes as wanted but it allows them from every domain not just from
How can I deny iframes from all external pages but allow them from one subdomain?
both sites run on the same machine.
The RFC for the
X-Frame-Options header states that valid options for the header are:
So, first off you need to add
ALLOW-FROM then specify the URI of your subdomain. Something like this: