Hi @jaydub-1,
Thank you for downloading the Headers Security Advanced & HSTS WP plugin. I’m Andrea, thanks for your feedback I wanted to update you that within a few hours I will release a patch of the plugin with the resolution of your issue.
For any information or help I am here to help you
That sounds good, many thanks.
Is there a way to add multiple domains also?
Hello @jaydub-1,
Since the X-Frame-Options header with the ALLOW-FROM directive supports only a single URL per response (and is becoming obsolete in favor of Content Security Policy (CSP) for more granular controls), you should consider using CSP with the frame-ancestors directive if you need to specify multiple domains from which to allow embedding. This provides more flexibility and security.
Much appreciated. Will your plugin control CSP moving forward?
hello @jaydub-1,
I try to constantly update the plugin and keep it with the latest STANDARDS from OWASP and Mozilla Dev.
Does the ALLOW-FROM mean it’s the only domain allowed or is it an additional domain than the one the site is on?
Hello @jaydub-1,
The ALLOW-FROM directive in the context of web security headers, particularly the X-Frame-Options HTTP response header, specifies which domain is allowed to frame the content of the site. When you set X-Frame-Options: ALLOW-FROM https://example.com, it means that the page can only be framed by the specified domain (https://example.com in this case), and it is indeed the only domain allowed to do so, excluding even the site itself if it’s on a different domain.
So, to directly answer your question: ALLOW-FROM means it’s the only domain allowed to frame the content, not an additional domain allowed alongside the domain the site is on. If you need to allow multiple domains or more complex framing policies, it’s recommended to use the Content Security Policy (CSP) header with the frame-ancestors directive instead, as X-Frame-Options is more limited in its capabilities.
The X-Frame-Options header does not support the inclusion of multiple domains directly; it can only specify a single domain with the ALLOW-FROM directive. If you need to allow framing of your content from multiple domains, you should use the Content Security Policy (CSP) header with the frame-ancestors directive.
Here is an example on how to set the CSP header to allow framing from multiple domains:
Content-Security-Policy: frame-ancestors 'self' https://example.com https://anotherexample.com;
In this example, ‘self’ allows framing from the same source as the document, while https://example.com and https://anotherexample.com are two other domains from which framing is allowed. You can add as many domains as you like by simply listing them one after the other.
Remember that CSP offers many other features for securing your website besides controlling framing, so it is a good practice to explore all of its guidelines and apply a comprehensive CSP policy that fits your security needs.
I hope I’ve given you good assitance and details on how the two headers work and if I have any other questions I’m available as soon as possible
Very helpful, many thanks.
