I have an nginx conf file containing some generic lines that I deploy on several websites. Among those lines I have this:

add_header X-Frame-Options "SAMEORIGIN";

For certain websites I want to deploy some custom lines. For example there are a few websites for which I want to deploy the following because I want to allow them to be loaded in some iframes:

add_header X-Frame-Options "";

So, those websites conf files end-up containing something like this:

# some generic settings
add_header X-Frame-Options "SAMEORIGIN";
...

# some custom settings
add_header X-Frame-Options "";
...

The problem is that the second add_header X-Frame-Options doesn't override the first. I also tried to switch the settings and I put the custom ones first and then the generic ones. So the conf file looked like this:

# some custom settings
add_header X-Frame-Options "";
...
    
# some generic settings
add_header X-Frame-Options "SAMEORIGIN";
...

But again, the setting for X-Frame-Options was "SAMEORIGIN" and not "".

My question is: is there any possibility to override that X-Frame-Options add_header setting once it is set?

I'm running nginx 1.20 on a Ubuntu 18.

CodePudding user response：

You can override it by setting Content-Security-Policy frame-ancestors directive. For all but legacy browsers, this will override X-Frame-Options. Try

Content-Security-Policy: frame-ancestors 'self' *;

You might not need 'self' (equals to XFO SAMEORIGIN), you can test without it.