Support

Admin Tools

#27966 X-Frame-Options SAMEORIGIN and ALLOW-FROM https://example.com/

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Thursday, 20 July 2017 17:17 CDT

Friday, 16 June 2017 05:21 CDT

heleen
Hi,

I would like to use this in .htaccess:

Header append X-Frame-Options SAMEORIGIN
AND
Header append X-Frame-Options ALLOW-FROM https://example.com/

Is it possible to have both at the same time?
How should it look like in code to add to .htaccess?
I tried several combinations but get Error message in website when doing this.



I configured Admin Tools to have this in .htaccess:

<IfModule mod_headers.c>

Header append X-Frame-Options SAMEORIGIN

# The `X-Frame-Options` response header should be send only for
# HTML documents and not for the other resources.

<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|woff2?|xloc|xml|xpi)$">
Header unset X-Frame-Options
</FilesMatch>

</IfModule>

Thanks

Friday, 16 June 2017 08:32 CDT

dlb
I am sorry, this is not a question that I can help you with. Nicholas and Davide are attending a conference this weekend and will not be back until Tuesday. I will ask them to take a look at your issue when they return.

I apologize for the delay and thank you for your patience.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

Friday, 16 June 2017 08:43 CDT

heleen
Thanks for your reply Dale, we'll wait until Tuesday.

Monday, 19 June 2017 04:03 CDT

nicholas
This is outside the scope of our support. While you can use Admin Tools to set up the .htaccess directives to set this header, the use of this header is not a feature of Admin Tools, it's a web standard (RFC 7034) implemented by web browsers and web servers. The web browsers and servers are third party software, external to us. All we can do is point you to the (external) documentation of this header. Please consult the Mozilla Developer Network documentation for the X-Frame-Options HTTP header.

As you can see, this header can have EITHER of the three possible values but only ONE at a time. The implication of ALLOW-FROM is that the page can only be displayed in a frame on the specified origin. You can only specify a single origin. Likewise, the SAMEORIGIN value is like using ALLOW-FROM with the same hostname that serves the page.

The reason of this HTTP header's existence is to lock down the frame display of a page either completely (nobody can display it) or to a single, specific domain. If you want multiple domains to be able to display the page in an IFRAME you will simply have to NOT use this HTTP header. This is all explained in the relevant RFC 7034.

I hope that helps!

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 19 June 2017 04:22 CDT

heleen
Hi Nicholas,

Thanks for your valuable reply.

Have a nice day

Tuesday, 20 June 2017 03:46 CDT

nicholas
You're welcome!

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 20 July 2017 17:17 CDT

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!