Cross Site iFrame Security

I really don’t even know which section to put this in as it could belong to various categories.

I have a short list of customers who use iFrames to pull our Catalog site into their site.
Old School, not the best, I know, but it’s what we have for now.

We’ve enhanced our security protocols and the x-frame-options header on apache blocks the ability to iframe anything outside of the origin (SAMEORIGIN)

I’ve read numerous articles and forums on how to make this work.
There are numerous methods, some older than others.
I’ve tried several approaches to no avail.

So, my question is, within the less than ideal situation of using an iFrame, what is the best method to securely display that in my customers websites???

Greatly appreciate your feedback!!!

So you have decided to up on the iframe approach ?

What happens if you try the object tag instead?

Hey Mittineague,
Thanks for responding.
Honestly, I’ve tried various approaches and cannot get anything to work.
I’ve not given up on anything as I have to get this done.

So, you think the OBJECT tag instead of IFRAME will work?
It’s still cross-site activity though, right?
Won’t I still run into x-frame-options issues?

I think so

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>

There are three settings for X-Frame-Options:

SAMEORIGIN: This setting will allow page to be displayed in frame on the same origin as the page itself.
DENY: This setting will prevent a page displaying in a frame or iframe.
ALLOW-FROM uri: This setting will allow page to be displayed only on the specified origin.

How to implement in Apache, IBM HTTP Server?

eg. Add following line in Apache Web Server’s httpd.conf file

Header always append X-Frame-Options SAMEORIGIN

Restart Apache Web Server

Thanks for the info.

SAMEORIGIN won’t work for me.
I need the ALLOW-FROM uri… which I’ve tried.
Still get x-frame-option problem… but, I’m doing it from htaccess.

I can try and get my server people to put the ALLOW-FROM directive on Apache, so there is no conflict and I won’t need htaccess. What I discovered as I was about to do that is that ALLOW-FROM only allows for 1 URL. I have about 25 customers I need to get this to work for.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.