Hi our server is configured to have X-Frame-Options: DENY because we do not want most of our pages to be served in iframes.
But we have some trial pages which we do want to be able to serve in iFrames from other domains. In other words, X-Frame-Options: SAMEORIGIN, will not cut it. Turning off the X-Frame-Options: DENY, is not an option for us.
We are able to program our application in such a way that just for serving those trial pages, we can modify the page header or anything else. But since the server is set to X-Frame-Options: DENY, we are not able to display these trial pages in iFrames on major browsers.
I read here ( http://stackoverflow.com/questions/6666423/overcoming-display-forbidden-by-x-frame-options ) that we can include X-Frame-Options: ANYTEXT in the header for that particular trial page and it will OVERRIDE the server config for X-Frame-Options: DENY, and display the page in the browser iFrame. ——– BUT this seems to be a pretty hacky way to do it and not sure if this is even supported or documented.
Can someone please advise how to allow display of only some pages of our app in a iFrame but still keeping server config as X-Frame-Options: DENY?
