content-security-policy doesn't work; I want to have my website load in an iFrame on ONE other website only

Question

How do you do this? I want only one other website to be able to load my main website in an iFrame but nothing is working.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

Apparently as I understand it the protocol you set in .htaccess is this

So far I've tried:

1.

Header set Content-Security-Policy "frame-ancestors 'self' https://example.subdomain.co;"

2.

Header always set Content-Security-Policy "frame-ancestors 'self' 'https://example.subdomain.co';"

3.

Header set Content-Security-Policy "frame-ancestors 'self' 'https://example.subdomain.co';"

None of these work. When I try to load an iframe of example.com inside https://example.subdomain.co I get the following error:

Refused to display 'https://example.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

And then I get more confused because apparently you can only do DENY and SAMEORIGIN with this.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

The added security is provided only if the user accessing the document is using a browser that supports X-Frame-Options.

The one I would have wanted is ALLOW FROM but

ALLOW-FROM uri This is an obsolete directive that no longer works in modern browsers. Don't use it. In supporting legacy browsers, a page can be displayed in a frame only on the specified origin uri. Note that in the legacy Firefox implementation this still suffered from the same problem as SAMEORIGIN did — it doesn't check the frame ancestors to see if they are in the same origin. The Content-Security-Policy HTTP header has a frame-ancestors directive which you can use instead.

It's deprecated and it doesn't work.

Refused to display in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'

This answer doesn't help because they don't talk about what I want to do, they just explain what it is.

How to set 'X-Frame-Options' on iframe?

Again, not helpful because it's explaining to OP that the header is set on the website in the iframe source.

Is there a way to set it X-Frame-Options for frame-ancestors somehow to make this work so that I can load an iframe of my website on one other specific website? Or is this not possible?

Answer 1

When you set frame-ancestors correctly all browsers that understand it will disregard X-Frame-Options. This means that you can set both headers and use ALLOW-FROM as you will then server X-Frame-Options to IE and frame-ancestors to other browsers.

Have you checked if your Content-Security-Policy is present as a response header? Your first version is the most correct one, but you can drop the scheme as such: "frame-ancestors 'self' example.subdomain.co;", there should not be any single quotes around hosts in sources.