0

I know very little about server configuration so excuse me if this is a silly question. I have a site that hosts content for an iframe (mydomain.com) and I want to allow a couple of other sites to embed an iframe on their site of my content. Initially, it was blocked so I read up on how to allow it using my nginx configuration on ubuntu digital ocean server but I could not find anything on allowing more than one domain. When I try using the below directives it will throw console errors in firefox for not being allowed. How do I allow more than one domain to use our content in an iframe?

This is what I tried:

add_header X-Frame-Options "ALLOW-FROM https://www.onedomain.com/";
add_header X-Frame-Options "ALLOW-FROM https://www.anotherdomain.com/";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";

The error code in the console shows:

Load denied by X-Frame-Options: https://www.onedomain.com/ does not permit framing by https://www.anotherdomain.com/
Derek
  • 4,747
  • 7
  • 44
  • 79
  • Possible Duplicate of https://stackoverflow.com/questions/10205192/x-frame-options-allow-from-multiple-domains – Shawn C. Nov 15 '17 at 14:21
  • Possible duplicate of [X-Frame-Options Allow-From multiple domains](https://stackoverflow.com/questions/10205192/x-frame-options-allow-from-multiple-domains) – Shawn C. Nov 15 '17 at 14:21
  • @ShawnC. Both of these are specific to ASP.net, I am unable to make sense of the answers for my Nginx configuration using Ubuntu -- I will edit the question to specify I am running on Ubuntu – Derek Nov 15 '17 at 14:32
  • 1
    NGINX or ASP.net the browsers still follow RFC 7034 which states you can only have one Allow From. You can use Content-Security-Policy which allows multiple. – Shawn C. Nov 15 '17 at 14:43
  • 1
    Thanks @ShawnC. I'm a total newbie to this, is there something specific I can look for or an example you can give? – Derek Nov 15 '17 at 15:55

0 Answers0