Hi. As part of server security hardening, I wanted to limit/prevent clickjacking. Most guides I've found recommend using (in httpd.conf):

Header always append X-Frame-Options SAMEORIGIN

This works, but we have certain URIs/domains we need to allow iframes includes from.

So I wanted to add

Header always append X-Frame-Options ALLOW-FROM <URI>

and I have two questions:

1) if specified in the form above, for example

Header always append X-Frame-Options ALLOW-FROM http://www.example.com

, Apache service won't start complaining about incorrect syntax of this command. The only way it worked is when I wrote it this way

Header always append X-Frame-Options ALLOW-FROM=http://www.example.com

. Why doesn't any guide mention there should be the equals sign? It also doesn't seem like standard syntax in httpd.conf

2) not sure if I didn't configure something wrong, but after adding the line from 1), it only works in IE, not other browsers, despite them claiming support for the ALLOW-FROM including Firefox and Chrome. I know this isn't related to Apache, just checking if it might be caused by me misconfiguring something.

Thanks in advance

[edited by: Ocean10000 at 2:18 pm (utc) on Mar 24, 2015]
[edit reason] Examplified [/edit]