IE 和 Chrome 的 Apache X-Frame-Options 冲突（只有一个有效！）

Question

I have a site that I need to load resources from itself as well as from another URL.

Therefore, in Apache, I added both the SAMEORIGIN and the ALLOW-FROM.

Interestingly, Chrome refused to show the page, stating that there is multiple X-Frame-Options headers with conflicting values, and falling back to 'deny'. On the other hand, IE works fine!

I modified it by removing the SAMEORIGIN and added my the originating site URL into the ALLOW-FROM. This time, Chrome works, but IE does not!

In case you wanted to try, these are the settings that I used that experience the issue:

# Test 1: Use these 2 lines will make IE work, but not Chrome
Header always append X-Frame-Options "SAMEORIGIN"
Header always append X-Frame-Options "ALLOW-FROM https://www.google.com"

# Test 2: Use these 2 lines will make Chrome work, but not IE 
# (<MyBaseServerURL> represents the location as indicated by the "SAMEORIGIN")
Header always append X-Frame-Options "ALLOW-FROM https://www.google.com"
Header always append X-Frame-Options "ALLOW-FROM https://<MyBaseServerURL>"

Could someone advise how I could resolve this?

Thanks and regards, Jacky

Answer 1

This is because ALLOW-FROM is only supported in FireFox.

Use a Content Security Policy instead.

Nginx:

add_header Content-Security-Policy "frame-src self *.mydomain.example";

Answer 2

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a , , or . Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options