How to set X-Frame-Options Allow-From in nginx correctly

Question

Im trying to set the ALLOWED-FROM in Nginx but all settings I tried so far resulted in the following Chrome error: Invalid 'X-Frame-Options' header encountered when loading 'https://domain.com/#/register': 'ALLOW-FROM domain.com' is not a recognized directive. The header will be ignored.

This options I tried are those: (tried also with FQDN with https:// prefix)

  add_header X-Frame-Options "Allow-From domain.com"; 
  add_header X-Frame-Options "ALLOW-FROM domain.com"; 
  add_header X-Frame-Options "ALLOW-FROM: domain.com";
  add_header X-Frame-Options "Allow-From: domain.com";
  add_header X-Frame-Options ALLOW-FROM "domain.com";
  add_header X-Frame-Options ALLOW-FROM domain.com;

Answer 1

in Chrome and Safari you need to use Content-Security-Policy

Content-Security-Policy: frame-ancestors domain.com

You can check more details on this site:

https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives

Answer 2

Some older browser do not support Content Security Policy so the correct syntax is

add_header X-Frame-Options "ALLOW-FROM domain.com";

and the new version of browsers support Content Security Policy

add_header Content-Security-Policy "frame-ancestors domain.com";

You should use both the headers so as to ensure support in all the browser

To know more browser support for X-Frame-Options and Content Security Policy(CSP browser support data is outdated as written on 12/19/2017. Currently all major browser support CSP): https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet