A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored. i'm hosting 2 websites with 2 different domain names with apache 2.4.29 on debian 8: site1.com site2.com i want to allow the use of iframes from both sites. in site1.conf i have : Header always set X-Frame-Options "ALLOW-FROM http://site2.com http://www.site2.com https://site2.com https://www.site2.com" Header always set Referrer-Policy "same-origin" in site2.conf i have : Header always set X-Frame-Options "ALLOW-FROM http://site1.com http://www.site1.com https://site1.com https://www.site1.com" Header always set Referrer-Policy "same-origin" unfortunately it doesn't work, it doesn't show the iframe with internet explorer 11...what am i doing wrong ? i can't find any example for X-Frame-Options with multiple uri...is my syntax correct ? do i have to add the http and the https ? and also the domain with or without the www ? Thank you for your help.

Last edited by cetipabo on Wed 17 Jan '18 16:36; edited 1 time in total actualy i also tried with a list like that but It still does not work: Header always set X-Frame-Options "ALLOW-FROM http://site1.com" Header always set X-Frame-Options "ALLOW-FROM http://www.site1.com" Header always set X-Frame-Options "ALLOW-FROM https://site1.com" Header always set X-Frame-Options "ALLOW-FROM https://www.site1.com"

Quote:

1. A page that wants to render the requested content in a frame supplies its own origin information to the server providing the content to be framed via a query string parameter.

my iframe link is like this http://www.site2.com/folder/page.php?a=1&b=2

Quote:

Header set X-Frame-Options SAMEORIGIN Header append X-Frame-Options "ALLOW-FROM http://www.site2.com/" Header append X-Frame-Options "ALLOW-FROM http://site2.com/" Header append X-Frame-Options "ALLOW-FROM https://www.site2.com/" Header append X-Frame-Options "ALLOW-FROM https://site2.com/"

when i check the result with https://securityheaders.io i GET a "B" because it says :

Quote:

X-Frame-Options: We couldn't detect a valid configuration. Expected values are "DENY", "SAMEORIGIN", "ALLOW-FROM (URL)" and "ALLOWALL". looks like they don't know how to handle multiple uri too