X-Frame-Options Allow-From multiple domains

by

X-Frame-Options is deprecated. From MDN:

This feature has been removed from the Web standards. Though some browsers may still support it, it is in the process of being dropped. Do not use it in old or new projects. Pages or Web apps using it may break at any time.

The modern alternative is the Content-Security-Policy header, which along many other policies can white-list what URLs are allowed to host your page in a frame, using the frame-ancestors directive.
frame-ancestors supports multiple domains and even wildcards, for example:

Content-Security-Policy: frame-ancestors 'self' example.com *.example.net ;

Unfortunately, for now, Internet Explorer does not fully support Content-Security-Policy.

UPDATE: MDN has removed their deprecation comment. Here’s a similar comment from W3C’s Content Security Policy Level

The frame-ancestors directive obsoletes the X-Frame-Options header. If a resource has both policies, the frame-ancestors policy SHOULD be enforced and the X-Frame-Options policy SHOULD be ignored.

More Related Contents:

  1. IIS and Static content?
  2. How do I resolve “HTTP Error 500.19 – Internal Server Error” on IIS7.0 [closed]
  3. Receiving login prompt using integrated windows authentication
  4. What is the App_Data folder used for in Visual Studio?
  5. IIS 500.19 with 0x80070005 The requested page cannot be accessed because the related configuration data for the page is invalid error
  6. How to set the maxAllowedContentLength to 500MB while running on IIS7?
  7. IIS7 Cache-Control
  8. How serious is this new ASP.NET security vulnerability and how can I workaround it?
  9. System.Security.SecurityException when writing to Event Log
  10. Request is not available in this context
  11. How do I protect static files with ASP.NET form authentication on IIS 7.5?
  12. Mixing Forms authentication with Windows authentication
  13. Asp.net Identity password hashing
  14. Remove HTML or ASPX Extension
  15. Global ASAX – get the server name
  16. Forms Authentication Ignoring Default Document
  17. Redirect to a page with endResponse to true VS CompleteRequest and security thread
  18. How to set up subdomains on IIS 7
  19. Windows Authentication for ASP.NET MVC 4 – how it works, how to test it
  20. How to Customize ASP.NET Web API AuthorizeAttribute for Unusual Requirements
  21. Nested ASP.NET ‘application’ within IIS inheriting parent config values?
  22. Hosting ASP.NET in IIS7 gives Access is denied?
  23. Cannot use a leading ../ to exit above the top directory
  24. How to limit page access only to localhost?
  25. Removing/Hiding/Disabling excessive HTTP response headers in Azure/IIS7 without UrlScan
  26. What does ‘IISReset’ do?
  27. User ASP.NET runs under
  28. Diagnosing 404 errors on IIS 7 and ASP.NET MVC
  29. Why do ASP.NET JSON web services return the result in ‘d’?
  30. Web authentication state – Session vs Cookie?

Leave a Comment