Apache security headers - Iframe load issues

When you have a web site which use resources from another domain you will get involved in some security issues.

In this example Site A loads an iframe from site B. The same applies to other resources.

Site A: https://siteA.com/iframeParent.html

<html>
<head>
 <meta charset="UTF-8">
</head> 


<body>
 <h1>This is a iframe loaded from other site</h1>
 <iframe src="https://siteB.com/iframe.html">
 </iframe>

</body>

</html>

Site B: https://siteB.com/iframe.html

<html>
<head>
 <meta charset="UTF-8">
</head> 

<body>
 <h2>I am a iframe</h2>
</body>
</html>

There are two security headers to use here:

• Content-Security-Policy: https://content-security-policy.com/, https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives

• X-Frame-Options: https://developer.mozilla.org/en/docs/Web/HTTP/Headers/X-Frame-Options

In Apache Web Server you need to load mod_headers.so module.


If SiteB sets SAMEORIGIN, then siteA will not be able to load the iframe.

    Header always append X-Frame-Options SAMEORIGIN

If siteB sets ALLOW-FROM siteA, then only siteA will be able to load the iframe.

    Header always append X-Frame-Options ALLOW-FROM https://siteA.com

If siteB sets security policy to frame-ancestors siteA, then only siteA will be able to load the iframe.

    Header always append Content-Security-Policy "frame-ancestors siteA.com"

If siteA sets security policy to default-src 'none', then siteA will not be able to load any external resource.

    Header always append Content-Security-Policy "default-src 'none'"

If siteA sets security policy to default siteB, then siteA will only be able to load external resources from siteB

    Header always append Content-Security-Policy "default-src 'self' siteB.com"

Note: Browser support:

• http://caniuse.com/#feat=contentsecuritypolicy
• https://developer.mozilla.org/en/docs/Web/HTTP/Headers/X-Frame-Options