Apache config: allow iFrames only for a specific directory

apache2

Solution 1:

See documentation for X-Frame-Options. You can

  • allow embedding from https://example.com/mydir:

    Header always append X-Frame-Options ALLOW-FROM=https://example.com/mydir

  • allow embedding of https://example.com/mydir
    by adding it only when Location doesn't match /mydir, with the LocationMatch directive.

    <VirtualHost *:80>
    ServerName example.com

    <LocationMatch "^/(?!mydir)(.*)">
        Header always append X-Frame-Options DENY
    </LocationMatch>
</VirtualHost>

  • to maximize security, add a combination of these i.e. only allow embedding of /mydir from ....

You can't limit it to <iframe> alone, but the embedding can also be done as <frame> or <object>.

Related

Where are Tomcat 9 sessions stored in Ubuntu 18?
GCP User added in IAM cannot see project
Windows Server 2019 2 node failover cluster offline after some reboot
High availability VM Windows server [closed]
SMTP postfix mail bounced host or domain name not found
Different drivers/support for 10GbE SFP+ copper versus fiber?
IPv6 network fails on Linux router
apache2.4 reverse proxy to nginx gitlab server [closed]
Remove index.php from URL Apache 2.4
Can I assign domain name to an ec2 instance? [closed]
Can I use both Thunderbolt ports to get higher resolution/framerate
MBP TB 2016 Failed to format and crashes. APFS Container damaged?