Apache config: allow iFrames only for a specific directory

Solution 1:

See documentation for X-Frame-Options. You can

  • allow embedding from https://example.com/mydir:

    Header always append X-Frame-Options ALLOW-FROM=https://example.com/mydir
    
  • allow embedding of https://example.com/mydir
    by adding it only when Location doesn't match /mydir, with the LocationMatch directive.

    <VirtualHost *:80>
        ServerName example.com
    
        <LocationMatch "^/(?!mydir)(.*)">
            Header always append X-Frame-Options DENY
        </LocationMatch>
    </VirtualHost>
    
  • to maximize security, add a combination of these i.e. only allow embedding of /mydir from ....

You can't limit it to <iframe> alone, but the embedding can also be done as <frame> or <object>.