Hi all,
I'm using nignx in order to serve an application that (can) make use of CORS settings. That means that in the dashboard of the application I can have some settings for restricting CORS to specific domains.
I also have this line in my nginx configuration :
add_header X-Frame-Options SAMEORIGIN;
But I also have these lines :
add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
I understand that x-frame options has to do with being able to load the web application in an iframe or not.
My question is:
Should having CORS set for a certain domain name, enable loading code within the iframe on the domain names set as unrestricted inthe CORS settings? Or in other words: should CORS settings be able to override the x-frame options line for specific domains?
Thanks,
Lex