Stack Exchange
Stack Overflow
Questions
Tags
Users
About
Stack Overflow
Public
Questions
Tags
Users
About
Can I apply X-Frame-Options header and people still use
with my website</a></h1> </div> <div class="grid fw-wrap pb8 mb16 bb bc-black-075"> <div class="grid--cell ws-nowrap mr16 mb8" title="2016-01-12 19:07:53Z"> <span class="fc-light mr2">Asked</span> <time itemprop="dateCreated" datetime="2018-12-04T08:47:09.267" class="fromnow">Dec 04 '18 at 08:47</time> </div> <div class="grid--cell ws-nowrap mr16 mb8"> <span class="fc-light mr2">Active</span> <time class="fromnow" title="2018-12-04T09:26:18.050" datetime="2018-12-04T09:26:18.050">Dec 04 '18 at 09:26</a> </div> <div class="grid--cell ws-nowrap mb8" title="Viewed 2,858 times"> <span class="fc-light mr2">Viewed</span> 2,858 times </div> </div> <div id="mainbar" role="main" aria-label="questions and answers"> <div id="question" class="question" data-questionid="53608870" data-ownerid="4255756" data-score="0"> <div class="post-layout"> <div class="votecell post-layout--left"> <div class="js-voting-container grid jc-center fd-column ai-stretch gs4 fc-black-200" data-post-id="53608870"> <button class="js-vote-up-btn grid--cell s-btn s-btn__unset c-pointer"><svg aria-hidden="true" class="m0 svg-icon iconArrowUpLg" width="36" height="36" viewBox="0 0 36 36"><path d="M2 26h32L18 10 2 26z"></path></svg></button> <div class="js-vote-count grid--cell fc-black-500 fs-title grid fd-column ai-center" itemprop="upvoteCount" data-value="0">0</div> <button class="js-bookmark-btn s-btn s-btn__unset c-pointer py4"> <svg aria-hidden="true" class="svg-icon iconBookmark" width="18" height="18" viewBox="0 0 18 18"><path d="M6 1a2 2 0 00-2 2v14l5-4 5 4V3a2 2 0 00-2-2H6zm3.9 3.83h2.9l-2.35 1.7.9 2.77L9 7.59l-2.35 1.7.9-2.76-2.35-1.7h2.9L9 2.06l.9 2.77z"></path></svg> <div class="js-bookmark-count mt4" data-value=""></div> </button> </div> </div> <div class="postcell post-layout--right"> <div class="s-prose js-post-body" itemprop="text"><p>I want to add this header to my nginx server </p> <pre><code>add_header X-Frame-Options "SAMEORIGIN"; </code></pre> <p>However I want people to still be able to use an <code><iframe></code> that refers to my website.</p> <p>Like youtube provides an embeded url for video, I do the same for a particular part of my website.</p> <p>is <code>"SAMEORIGIN"</code> is the right value? or is <code>X-Frame-Options</code> header is in conflict with the functionality I'm trying to acheive?</p></div> <div class="mt24 mb12"> <div class="post-taglist grid gs4 gsy fd-column"> <div class="grid ps-relative"> <a href="../../questions/tagged/html" class="post-tag js-gps-track" title="show questions tagged 'html'" rel="tag">html</a> <a href="../../questions/tagged/iframe" class="post-tag js-gps-track" title="show questions tagged 'iframe'" rel="tag">iframe</a> <a href="../../questions/tagged/http-headers" class="post-tag js-gps-track" title="show questions tagged 'http-headers'" rel="tag">http-headers</a> <a href="../../questions/tagged/x-frame-options" class="post-tag js-gps-track" title="show questions tagged 'x-frame-options'" rel="tag">x-frame-options</a> </div> </div> </div> <div class="mb0"> <div class="mt16 grid gs8 gsy fw-wrap jc-end ai-start pt4 mb16"> <div class="grid--cell mr16 fl1 w96"></div> <div class="post-signature owner grid--cell"> <div class="s-user-card s-user-card"> <time class="s-user-card--time" datetime="asked Dec 04 '18 at 08:47">asked Dec 04 '18 at 08:47</time> <a href="../../users/4255756/usertest" class="s-avatar s-avatar__32 s-user-card--avatar"> <img class="s-avatar--image" src="../../users/profiles/4255756.webp" data-jdenticon-width="32" data-jdenticon-height="32" data-jdenticon-value="usertest" /> </a> <div class="s-user-card--info"> <a href="../../users/4255756/usertest" class="s-user-card--link">usertest</a> <ul class="s-user-card--awards"> <li class="s-user-card--rep" title="reputation score">2,140</li> <li class="s-award-bling s-award-bling__gold" title="4 gold badges">4</li> <li class="s-award-bling s-award-bling__silver" title="32 silver badges">32</li> <li class="s-award-bling s-award-bling__bronze" title="51 bronze badges">51</li> </ul> </div> </div> </div> </div> </div> </div> <div class="post-layout--right js-post-comments-component"> </div> </div> </div> <div id="answers"> <a name="tab-top"></a> <div id="answers-header"> <div class="answers-subheader grid ai-center mb8"> <div class="grid--cell fl1"> <h2 class="mb0" data-answercount="9">1 Answers<span style="display:none;" itemprop="answerCount">1</span></h2> </div> </div> </div> <a name="53609247"></a> <div id="answer-53609247" class="answer " data-answerid="53609247" data-ownerid="5789458" data-score="3" itemprop="suggestedAnswer" itemscope="" itemtype="https://schema.org/Answer"> <div class="post-layout"> <div class="votecell post-layout--left"> <div class="js-voting-container grid jc-center fd-column ai-stretch gs4 fc-black-200" data-post-id="53609247"> <button class="js-vote-up-btn grid--cell s-btn s-btn__unset c-pointer"><svg aria-hidden="true" class="m0 svg-icon iconArrowUpLg" width="36" height="36" viewBox="0 0 36 36"><path d="M2 26h32L18 10 2 26z"></path></svg></button> <div class="js-vote-count grid--cell fc-black-500 fs-title grid fd-column ai-center" itemprop="upvoteCount" data-value="3">3</div> </div> </div> <div class="postcell post-layout--right"> <div class="s-prose js-post-body" itemprop="text"><p>There are three possible directives for <code>X-Frame-Options</code>:</p> <ul> <li><code>X-Frame-Options: deny</code> page cannot be displayed in a frame</li> <li><code>X-Frame-Options: sameorigin</code> page can only be displayed in a frame on the same origin as the page itself (same domain)</li> <li><code>X-Frame-Options: allow-from https://example.com/</code> page can only be displayed in a frame on the specified origin</li> </ul> <p>If you set it at <code>sameorigin</code> when hosts(people) try to load your site in an <code><iframe></code> then the browser give you an error. Try this and open your dev console:</p> <p></p><div class="snippet" data-babel="false" data-console="true" data-hide="false" data-lang="js"> <div class="snippet-code"> <pre class="snippet-code-html lang-html prettyprint-override"><code><iframe src="https://www.google.com"/></code></pre> </div> </div> <p>So in short <code>sameorigin</code> of course is the wrong choice if you want your site to be loaded into an <code><iframe></code> by other people(domains). Try reading this if you want to get what you are looking for:</p> <p><a href="../../questions/6666423/overcoming-display-forbidden-by-x-frame-options">Overcoming "Display forbidden by X-Frame-Options"</a></p></div> <div class="mb0"> <div class="mt16 grid gs8 gsy fw-wrap jc-end ai-start pt4 mb16"> <div class="grid--cell mr16 fl1 w96"></div> <div class="post-signature grid--cell"> <div class="user-info "> <div class="user-action-time">edited <span title="2018-12-04T09:26:18.050" class="relativetime">Dec 04 '18 at 09:26</span></div> <div class="user-gravatar32"></div> <div class="user-details" itemprop="author" itemscope="" itemtype="http://schema.org/Person"> <span class="d-none" itemprop="name">Alberto Favaro</span> <div class="-flair"></div> </div> </div> </div> <div class="post-signature grid--cell"> <div class="s-user-card s-user-card"> <time class="s-user-card--time" datetime="answered Dec 04 '18 at 09:09">answered Dec 04 '18 at 09:09</time> <a href="../../users/5789458/alberto-favaro" class="s-avatar s-avatar__32 s-user-card--avatar"> <img class="s-avatar--image" src="../../users/profiles/5789458.webp" data-jdenticon-width="32" data-jdenticon-height="32" data-jdenticon-value="Alberto Favaro" /> </a> <div class="s-user-card--info"> <a href="../../users/5789458/alberto-favaro" class="s-user-card--link">Alberto Favaro</a> <ul class="s-user-card--awards"> <li class="s-user-card--rep" title="reputation score">1,824</li> <li class="s-award-bling s-award-bling__gold" title="3 gold badges">3</li> <li class="s-award-bling s-award-bling__silver" title="21 silver badges">21</li> <li class="s-award-bling s-award-bling__bronze" title="46 bronze badges">46</li> </ul> </div> </div> </div> </div> </div> </div> <div class="post-layout--right js-post-comments-component"> <div id="comments-53609247" class="comments js-comments-container bt bc-black-075 mt12 " data-post-id="53609247" data-min-length="15"> <ul class="comments-list js-comments-list" data-remaining-comments-count="0" data-canpost="false" data-cansee="true" data-comments-unavailable="false" data-addlink-disabled="true"> <li id="comment-94080377" class="comment js-comment " data-comment-id="94080377" data-comment-owner-id="4255756" data-comment-score="0"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment94080377_53609247"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">is there a value for X-Frame-Options: allow-from that allow all domain? like allow-from *</span> – <a href="../../users/4255756/usertest" title="2,140 reputation" class="comment-user owner">usertest</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/53608870/can-i-apply-x-frame-options-header-and-people-still-use-iframe-with-my-website#comment94080377_53609247"><span title="2018-12-04T09:28:27.987 License: CC BY-SA 4.0" class="relativetime-clean">Dec 04 '18 at 09:28</span></a></span> </div> </div> </li> <li id="comment-94080496" class="comment js-comment " data-comment-id="94080496" data-comment-owner-id="5789458" data-comment-score="0"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment94080496_53609247"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">allow-from is no longer suppurated by Chrome and Firefox so you need use another header "Content-Security-Policy"</span> – <a href="../../users/5789458/alberto-favaro" title="1,824 reputation" class="comment-user ">Alberto Favaro</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/53608870/can-i-apply-x-frame-options-header-and-people-still-use-iframe-with-my-website#comment94080496_53609247"><span title="2018-12-04T09:31:35.520 License: CC BY-SA 4.0" class="relativetime-clean">Dec 04 '18 at 09:31</span></a></span> </div> </div> </li> <li id="comment-94080584" class="comment js-comment " data-comment-id="94080584" data-comment-owner-id="5789458" data-comment-score="0"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment94080584_53609247"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">if you want to load certain pages of your site in iframe you can use a proxy page that load the content you want or you can override the header for certain page, read the link above, there are different solutions</span> – <a href="../../users/5789458/alberto-favaro" title="1,824 reputation" class="comment-user ">Alberto Favaro</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/53608870/can-i-apply-x-frame-options-header-and-people-still-use-iframe-with-my-website#comment94080584_53609247"><span title="2018-12-04T09:33:35.373 License: CC BY-SA 4.0" class="relativetime-clean">Dec 04 '18 at 09:33</span></a></span> </div> </div> </li> <li id="comment-94080657" class="comment js-comment " data-comment-id="94080657" data-comment-owner-id="4255756" data-comment-score="0"> <div class="js-comment-actions comment-actions"> <div class="comment-score js-comment-edit-hide"> </div> </div> <div class="comment-text js-comment-text-and-form"> <a name="comment94080657_53609247"></a> <div class="comment-body js-comment-edit-hide"> <span class="comment-copy">I have Content-Security-Policy set. Then I guess I will do without this header.</span> – <a href="../../users/4255756/usertest" title="2,140 reputation" class="comment-user owner">usertest</a> <span class="comment-date" dir="ltr"><a class="comment-link" href="../../questions/53608870/can-i-apply-x-frame-options-header-and-people-still-use-iframe-with-my-website#comment94080657_53609247"><span title="2018-12-04T09:35:15.317 License: CC BY-SA 4.0" class="relativetime-clean">Dec 04 '18 at 09:35</span></a></span> </div> </div> </li> </ul> </div> </div> </div> </div> </div> </div> </div> </div> <script src="../../static/js/stack-icons.js"></script> <script src="../../static/js/fromnow.js"></script> </body> </html>