33

I am trying to use some site of mine as an iframe from a different site of mine.

My problem is- the other site is always consistently changes his IP address and does not have an domain name.

So, I read that you can allo a specific domain by adding this lint to the /etc/nginx/nginx.conf:

 add_header X-Frame-Options "ALLOW-FROM https://subdomain.example.com/";

My question is: It is possible to allow my site to be imported as an iframe from all IP addressed and domains? What should I write in order to achieve this?

I am using Ubuntu 16.04 and nginx 1.10.0.

Yuval Pruss
  • 8,716
  • 15
  • 42
  • 67

4 Answers4

44

If you set it, then you can only set it to DENY, SAMEORIGIN, or ALLOW-FROM (a specific origin).

Allowing all domains is the default. Don't set the X-Frame-Options header at all if you want that.

Note that the successor to X-Frame-OptionsCSP's frame-ancestors directive — accepts a list of allowed origins so you can easily allow some origins instead of none, one or all.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
5

ALLOWALL is the default value.

Sometimes frameworks MVC such as Rails, Laravel, Django and so on, set a X_FRAME_OPTIONS to SAMEORIGIN so someone might need to reset it to the origin ALLOWALL value.

Francesco Meli
  • 2,484
  • 2
  • 21
  • 52
  • 14
    ALLOWALL is not an accepted value: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options – T-moty Nov 11 '19 at 09:56
  • 5
    As noted, `ALLOWALL` is not a valid directive to the `X-Frame-Options` header. Invalid values (as with any invalid header) should simply be ignored by the browser - which is what would happen here - this is the "default value" (no header - allow all access). It would be better to simply delete the header if this is the desired result. – MrWhite Nov 28 '20 at 01:13
0

What ended working for me was ALLOW-FROM *.

I was using ALLOWALL, but as mentioned above, that is no longer a valid option, also we were getting flagged by our PCI scan because of the deprecated value usage. As Francesco Meli mentioned, Rails was defaulting to ALLOWALL, but changing it to ALLOW-FROM * did the trick!

Jorge Caballero
  • 611
  • 9
  • 11
-2

Well you can check the ip address of the remote host from the server. You can then send a X-Frame-Options response HTTP header with the value: "Allow-From ip-address", where ip address is the remote ip address that is trying to embed content on your server. This will allow your website to be embedded by all websites that are accessed using an ip address from the browser.

Another option is to embed the content in iframe and include the domain name in the iframe source url. The domain name parameter can be read by the server and included in the X-Frame-Options response header.

Nadir Latif
  • 3,690
  • 1
  • 15
  • 24