I am trying to get an html page allowed on multiple domains and on IE11 at least. When I put X-Frame-Options: ALLOW-FROM <incoming_origin> (if the incoming origin is in the allowed list) The page get cached with this header and if you open it from another allowed origin it gets blocked.
When I put X-Frame-Options: ALLOWALL and from my backend return 403 if the origin is not on the allowed list. The page get cached with this header and if you open it from origin not on the allowed list.
I am using Cache-Control: private, no-cache, max-age=86400; which instructs the browser to revalidate the page before but it checks the e-tag sees its the same and just uses the cached page with the cached x-frame-options header
Now I can just use Cache-Control: no-store and force the browser never to cache which I am tempted to do.
Note: Currently what I am doing is force the page that is embedding to put the origin in the query string too, and if the request is cross domain and i detect no origin in query string I redirect to page?o=<the_origin_i_detect> Then I validate that the origin in query string is same as origin/referer in headers(which the browsers sets) and if its not I send 403 response. What this does is for each origin a different page is served (different querystring origin) with correct x-frame-options: allow-from <that_domain>. and if any one from a different origin tries to embed an already cached page (with an origin in qs) the browser will block him as allow-from is different or revalidate (since no-cache) and get 403 and block him (hopefully)
My question is though whats the common practice for such senario. and why didnt anyone mention this topic before.
Aucun commentaire:
Enregistrer un commentaire