Change the X-Frame-Options to allow all domains

2020-05-25 05:57发布

问题:

I am trying to use some site of mine as an iframe from a different site of mine.

My problem is- the other site is always consistently changes his IP address and does not have an domain name.

So, I read that you can allo a specific domain by adding this lint to the /etc/nginx/nginx.conf:

 add_header X-Frame-Options "ALLOW-FROM https://subdomain.example.com/";

My question is: It is possible to allow my site to be imported as an iframe from all IP addressed and domains? What should I write in order to achieve this?

I am using Ubuntu 16.04 and nginx 1.10.0.

回答1:

If you set it, then you can only set it to DENY, SAMEORIGIN, or ALLOW-FROM (a specific origin).

Allowing all domains is the default. Don't set the X-Frame-Options header at all if you want that.

Note that the successor to X-Frame-Options — CSP's frame-ancestors directive — accepts a list of allowed origins so you can easily allow some origins instead of none, one or all.



回答2:

ALLOWALL is the default value.

Sometimes frameworks MVC such as Rails, Laravel, Django and so on, set a X_FRAME_OPTIONS to SAMEORIGIN so someone might need to reset it to the origin ALLOWALL value.



回答3:

Well you can check the ip address of the remote host from the server. You can then send a X-Frame-Options response HTTP header with the value: "Allow-From ip-address", where ip address is the remote ip address that is trying to embed content on your server. This will allow your website to be embedded by all websites that are accessed using an ip address from the browser.

Another option is to embed the content in iframe and include the domain name in the iframe source url. The domain name parameter can be read by the server and included in the X-Frame-Options response header.