Hi all,
I'm using nignx in order to serve an application that (can) make use of CORS settings. That means that in the dashboard of the application I can have some settings for restricting CORS to specific domains.
I also have this line in my nginx configuration :
add_header X-Frame-Options SAMEORIGIN;
But I also have these lines :
add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
I understand that x-frame options has to do with being able to load the web application in an iframe or not.
My question is:
Should having CORS set for a certain domain name, enable loading code within the iframe on the domain names set as unrestricted inthe CORS settings? Or in other words: should CORS settings be able to override the x-frame options line for specific domains?
Thanks,
Lex
I'm using nignx in order to serve an application that (can) make use of CORS settings. That means that in the dashboard of the application I can have some settings for restricting CORS to specific domains.
I also have this line in my nginx configuration :
add_header X-Frame-Options SAMEORIGIN;
But I also have these lines :
add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
I understand that x-frame options has to do with being able to load the web application in an iframe or not.
My question is:
Should having CORS set for a certain domain name, enable loading code within the iframe on the domain names set as unrestricted inthe CORS settings? Or in other words: should CORS settings be able to override the x-frame options line for specific domains?
Thanks,
Lex