I use
Header set X-Frame-Options SAMEORIGIN
in .htaccess
But i would like to have 1 html page that isn't blocked when shown in iframe on other websites.....
How can i make 1 exception?
The Header directive provides an additional argument that allows you to set the header conditionally based on whether an environment variable is set or not.
You could then set an env var when this one URL is requested. And only allow the header to be set when the env var is not set.
For example:
SetEnvIf Request_URI "^/one-page-not-blocked\.html$" DO_NOT_BLOCK
Header set X-Frame-Options SAMEORIGIN env=!DO_NOT_BLOCK
The above SetEnvIf directive sets the env var DO_NOT_BLOCK to the value 1 when the regex matches the requested URL.
The env=!DO_NOT_BLOCK argument is successful when the env var is not set (denoted by the ! prefix).
This method allows you to add additional URLs to not block by simply adding more SetEnvIf directives.
Related
I have the below htacess code and am wondering how i can specify it to only apply to a specific folder. in this case, only all image files in: /public_html/img/icons/
<filesMatch ".(png)$">
Header set Cache-Control "max-age=31536000, public"
</filesMatch>
Set an environment variable (using SetEnvIf) when the URL requested matches the specific folder and image type(s). Set the Header conditionally based on this env var (using the env= argument of the Header directive).
For example:
# Cache images in the "/img/icons" subdirectory
SetEnvIf Request_URI "^/img/icons/.+\.(png|jpg|gif)$" ENABLE_CACHE
Header set Cache-Control "max-age=31536000, public" env=ENABLE_CACHE
This method allows you to keep all the directives in the single .htaccess file in the document root. It also works on all versions of Apache (unlike <If> expressions that require Apache 2.4).
However, this may also be dependent on other directives you have in the .htaccess file. If, for instance, you are on Apache (as opposed to LiteSpeed) and rewriting the URL with mod_rewrite (a front-controller pattern perhaps) then you may need to test for REDIRECT_ENABLE_CACHE in the Header directive instead. (Or change your existing directives to prevent a loop of the rewrite engine, that results in the env var being prefixed with REDIRECT_.)
I have three environments:
env.com
env-uat.com
env-pre.com
All three pages run the same code. I want env-uat.com and env-pre.com to both get this in the htaccess:
Header set X-Robots-Tag "noindex, nofollow"
This will effectively completely unindex these pages, including PDF files etc. But I don't want to affect env.com.
How can I make the Header X-Robots-Tag only be added for env-uat.com and env-pre.com and NOT env.com?
** UPDATE **
From what I could find so far, it would seem you can only do something like this:
SetEnvIf Request_URI "^/privacy-policy" NOINDEXFOLLOW
Header set X-Robots-Tag "noindex, follow" env=REDIRECT_NOINDEXFOLLOW
But this makes it specific to a PAGE. I want it specific to a DOMAIN.
#Starkeen was right up to here :
SetEnvIf host ^(env-uat\.com|host2\.com)$ NOINDEXFOLLOW
So , you could include the domains that you want to be involved in this Env like this :
SetEnvIf host ^(env-uat|env-pre)\.com NOINDEXFOLLOW
Then you should attach the Env with same name like this :
Header set X-Robots-Tag "noindex, follow" env=NOINDEXFOLLOW
Not like this :
Header set X-Robots-Tag "noindex, follow" env=REDIRECT_NOINDEXFOLLOW
The line above will look to Env its name is REDIRECT_NOINDEXFOLLOW not NOINDEXFOLLOW and it is diffrent case from this question X Robots Tag noindex specific page
That was about matching against Request_URI and for special case .
So , the code should look like this :
SetEnvIf host ^(env-uat|env-pre)\.com NOINDEXFOLLOW
Header set X-Robots-Tag "noindex, follow" env=NOINDEXFOLLOW
You can match against Host header using SetEnvIf directive.
To make the Header X-Robots-Tag only available for a specific host ( env-uat.com ) you could use something like the following :
SetEnvIf host ^env-uat\.com$ NOINDEXFOLLOW
Header set X-Robots-Tag "noindex, follow" env=REDIRECT_NOINDEXFOLLOW
To make this available for multiple hosts ,you could use the following :
SetEnvIf host ^(env-uat\.com|host2\.com)$ NOINDEXFOLLOW
Header set X-Robots-Tag "noindex, follow" env=REDIRECT_NOINDEXFOLLOW
I am using W3 Total Cache with Amazon cloudfront. I have in my htaccess file:
# BEGIN W3TC CDN
<FilesMatch "\.(ttf|ttc|otf|eot|woff|font.css)$">
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
</FilesMatch>
# END W3TC CDN
But still getting error:
Font from origin 'https://example.cloudfront.net' has been blocked from loading by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://www.example.com' is therefore not allowed access.
Why is this happening?
Found the solution in this link: https://www.naschenweng.info/2014/09/23/wordpress-w3-total-cache-cloudfront-font-cors-issue/.
You need to change the CloudFront distribution's behaviors settings:
Change “Forward Headers” from “None” to “Whitelist”
Add “Origin” to the “Whitelist Headers”
Make sure that “Use Origin Cache Headers” is checked
Then invalidate the cached fonts.
Wrestling with this for days, and think I finally fixed it. Here are some things to check:
The webserver config should add the proper header. Apache syntax is listed in the question. Here's Nginx syntax that I used:
location ~* \.(eot|ttf|woff|woff2)$ {
add_header Access-Control-Allow-Origin '*';
}
Within W3TC > Performance > CDN > Custom File List, I added the following to upload the actual font files:
{plugins_dir}/*.ttf
{plugins_dir}/*.woff
While you're there, set the Theme file types to upload to the following. Per #Yao's link, the default separators are inconsistent (should all be semicolons, not commas)
*.css;*.js;*.gif;*.png;*.jpg;*.ico;*.ttf;*.otf;*.woff;*.less
In S3 > Permissions > CORS Configuration, change the default
<AllowedHeader>Authorization</AllowedHeader>
to:
<AllowedHeader>*</AllowedHeader>
You should start seeing the necessary Access-Control-Allow-Origin header in the response.
In CloudFront > Distribution > Behaviors, make the following changes:
Change Allowed HTTP Methods to GET, HEAD, OPTIONS (you need OPTIONS)
Change Forward Headers to Whitelist
Under Whitelist Headers, Add >> Origin
To test:
curl -I -s -X GET -H "Origin: www.example.com" https://abcdefg543210.cloudfront.net/wp-content/path/to/foo.ttf
This should give you back the following header:
Access-Control-Allow-Origin: *
X-Cache: Miss from cloudfront
I found this blog post to be pretty helpful:
http://blog.celingest.com/en/2014/10/02/tutorial-using-cors-with-cloudfront-and-s3/
basicly It's because the font isn't set to be shared outside of the domain that you are on, so you can just use it as a resourse for, in this case, https://example.cloudfront.net
This can be changed in the webserver settings though.
The problem may not always be with the origin settings on Nginx or Apache at your web server end.
You will also need to enable CORS on your S3 AWS account for this to work correctly.
Firstly I tried adding multiple ifmodule but it does not work.
<ifModule mod_headers.c>
Header set Access-Control-Allow-Origin: http://domainurl1.com
</ifModule>
<ifModule mod_headers.c>
Header set Access-Control-Allow-Origin: http://domainurl2.com
</ifModule>
When try to add multiple ifmodule only last one(http://domainurl2.com) works others not.
then I try following code it works but i think it is not secure to allow everyone
<ifModule mod_headers.c>
Header set Access-Control-Allow-Origin: “*”
</ifModule>
I have 5 domain that i have to allow.
Are there any solutions for adding multiple domains that i want to allow?
Try this if you want a quick fix
<ifModule mod_headers.c>
Header add Access-Control-Allow-Origin "http://domainurl1.com"
Header add Access-Control-Allow-Origin "http://domainurl2.com"
</ifModule>
However, this is not the recommended solution by W3C, instead you should make the server read the Origin header from the client, then compare it to a list of allowed domains and finally send the value of the Origin header back to the client as the Access-Control-Allow-Origin header. Check http://www.w3.org/TR/cors/#access-control-allow-origin-response-hea for more details.
I have two .htaccess file. One is in the root and the second one is in subfolder. At root I set the Access-Control-Allow-Origin like this:
Header add Access-Control-Allow-Origin "http://mypage.de"
Header add Access-Control-Allow-Origin "http://www.mypage.de"
The subfolder is the target of a subdomain and I just want to set the Access-Control-Allow-Origin to both variants of the subdomain like this:
Header add Access-Control-Allow-Origin "http://sub.mypage.de"
Header add Access-Control-Allow-Origin "http://www.sub.mypage.de"
The problem is that I get on my subdomain a 400 bad request error because the 2 definitions from my root are also added to the request when calling the subdomain. Is there a way to reset Access-Control-Allow-Origin or to exclude the subfolder from using the header rules from the root htaccess? Thanks.
In the subfolder, add this before your lines
Header unset Access-Control-Allow-Origin
That should clear the previous headers