Modify headers x-frame-options in .htaccess

Question

I'm trying to modify the x-frame-options in my .htaccess file. I would like for only one specific site to be allowed (apart from the sameorigin site) Although I am able to deny it for all, I have no clue on how to allow it for only one site, I have looked up the docs on MDN, but must have either overlooked something or I am not getting it correctly.

Code that did work to block all:

Header set X-Frame-Options DENY

None of the below examples did however work and resulted in a 500 external error

Header set X-Frame-Options ALLOW-FROM URL

Header set X-Frame-Options: ALLOW-FROM URL

X-Frame-Options: ALLOW-FROM URL

I have other code in the htaccess file and added all of the above to test on the first line of the file.

Thanks for any help.

Answer 1

Use:

Header set X-Frame-Options "ALLOW-FROM URL"

Since syntax is:

Header set <header-name> <header-value>

DENY is one word so it's parsed as the header value, but ALLOW-FROM your.url is parsed as two arguments, thus apache complains about your.url as an unknown parameter.

It must be quoted to be considered as the whole header value. It's like command line arguments.

Answer 2

"ALLOW-FROM uri" is not supported by all browsers. Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Answer 3

i've tried to put this in htaccess

Header always unset X-Frame-Options

and put it in some directory so any web can embed the folder .. infact it didn't work in htaccess
but i have to put it in conf file of apache and devine it in wich directory

<Directory /var/www/rootweb/html/public/vr/virtualvenue>
    Header always unset X-Frame-Options
</Directory>

so instead u filter in every websites just like white listing, I choose this more easy bcose any websites can embed my virtual