apache2 - Apache config: allow iFrames only for a specific directory

I would like to configure Apache so that

it normally denies requests for iFrames (for instance, by setting Header always append X-Frame-Options DENY)

but, it allows a specific directory to be embedded as iFrame, independently from the origin of the request (for instance, )

Is that possible?

Answer

See documentation for X-Frame-Options. You can

allow embedding from https://example.com/mydir:

Header always append X-Frame-Options ALLOW-FROM=https://example.com/mydir

allow embedding of https://example.com/mydir
by adding it only when Location doesn't match /mydir, with the LocationMatch directive.
```
    ServerName example.com

    
        Header always append X-Frame-Options DENY
    
```

to maximize security, add a combination of these i.e. only allow embedding of /mydir from ....

You can't limit it to </code> alone, but the embedding can also be done as <code><frame></code> or <code><object></code>.</p><br/> </div> </div> <div class='post-sidebar invisible'> <div class='post-share-buttons post-share-buttons-top'> <div class='byline post-share-buttons goog-inline-block'> <div aria-owns='sharing-popup-Blog1-normalpostsidebar-4090579089250247047' class='sharing' data-title='apache2 - Apache config: allow iFrames only for a specific directory'> <button aria-controls='sharing-popup-Blog1-normalpostsidebar-4090579089250247047' aria-label='Share' class='sharing-button touch-icon-button flat-button ripple' id='sharing-button-Blog1-normalpostsidebar-4090579089250247047' role='button'> Share </button> <div class='share-buttons-container'> <ul aria-hidden='true' aria-label='Share' class='share-buttons hidden' id='sharing-popup-Blog1-normalpostsidebar-4090579089250247047' role='menu'> <li> <span aria-label='Get link' class='sharing-platform-button sharing-element-link' data-href='https://www.blogger.com/share-post.g?blogID=4095952452479453750&postID=4090579089250247047&target=' data-url='https://errnote.blogspot.com/2019/07/apache2-apache-config-allow-iframes.html' role='menuitem' tabindex='-1' title='Get link'> <svg class='svg-icon-24 touch-icon sharing-link'> <use xlink:href='/responsive/sprite_v1_6.css.svg#ic_24_link_dark' xmlns:xlink='http://www.w3.org/1999/xlink'></use> </svg> <span class='platform-sharing-text'>Get link</span> </span> </li> <li> <span aria-label='Share to Facebook' class='sharing-platform-button sharing-element-facebook' data-href='https://www.blogger.com/share-post.g?blogID=4095952452479453750&postID=4090579089250247047&target=facebook' data-url='https://errnote.blogspot.com/2019/07/apache2-apache-config-allow-iframes.html' role='menuitem' tabindex='-1' title='Share to Facebook'> <svg class='svg-icon-24 touch-icon sharing-facebook'> <use xlink:href='/responsive/sprite_v1_6.css.svg#ic_24_facebook_dark' xmlns:xlink='http://www.w3.org/1999/xlink'></use> </svg> <span class='platform-sharing-text'>Facebook</span> </span> </li> <li> <span aria-label='Share to X' class='sharing-platform-button sharing-element-twitter' data-href='https://www.blogger.com/share-post.g?blogID=4095952452479453750&postID=4090579089250247047&target=twitter' data-url='https://errnote.blogspot.com/2019/07/apache2-apache-config-allow-iframes.html' role='menuitem' tabindex='-1' title='Share to X'> <svg class='svg-icon-24 touch-icon sharing-twitter'> <use xlink:href='/responsive/sprite_v1_6.css.svg#ic_24_twitter_dark' xmlns:xlink='http://www.w3.org/1999/xlink'></use> </svg> <span class='platform-sharing-text'>X</span> </span> </li> <li> <span aria-label='Share to Pinterest' class='sharing-platform-button sharing-element-pinterest' data-href='https://www.blogger.com/share-post.g?blogID=4095952452479453750&postID=4090579089250247047&target=pinterest' data-url='https://errnote.blogspot.com/2019/07/apache2-apache-config-allow-iframes.html' role='menuitem' tabindex='-1' title='Share to Pinterest'> <svg class='svg-icon-24 touch-icon sharing-pinterest'> <use xlink:href='/responsive/sprite_v1_6.css.svg#ic_24_pinterest_dark' xmlns:xlink='http://www.w3.org/1999/xlink'></use> </svg> <span class='platform-sharing-text'>Pinterest</span> </span> </li> <li> <span aria-label='Email' class='sharing-platform-button sharing-element-email' data-href='https://www.blogger.com/share-post.g?blogID=4095952452479453750&postID=4090579089250247047&target=email' data-url='https://errnote.blogspot.com/2019/07/apache2-apache-config-allow-iframes.html' role='menuitem' tabindex='-1' title='Email'> <svg class='svg-icon-24 touch-icon sharing-email'> <use xlink:href='/responsive/sprite_v1_6.css.svg#ic_24_email_dark' xmlns:xlink='http://www.w3.org/1999/xlink'></use> </svg> <span class='platform-sharing-text'>Email</span> </span> </li> <li aria-hidden='true' class='hidden'> <span aria-label='Share to other apps' class='sharing-platform-button sharing-element-other' data-url='https://errnote.blogspot.com/2019/07/apache2-apache-config-allow-iframes.html' role='menuitem' tabindex='-1' title='Share to other apps'> <svg class='svg-icon-24 touch-icon sharing-sharingOther'> <use xlink:href='/responsive/sprite_v1_6.css.svg#ic_more_horiz_black_24dp' xmlns:xlink='http://www.w3.org/1999/xlink'></use> </svg> <span class='platform-sharing-text'>Other Apps</span> </span> </li> </ul> </div> </div> </div> </div> </div> </div> <div class='post-bottom'> <div class='post-footer'> <div class='post-footer-line post-footer-line-1'> </div> </div> <div class='post-share-buttons post-share-buttons-bottom'> <div class='byline post-share-buttons goog-inline-block'> <div aria-owns='sharing-popup-Blog1-byline-4090579089250247047' class='sharing' data-title='apache2 - Apache config: allow iFrames only for a specific directory'> <button aria-controls='sharing-popup-Blog1-byline-4090579089250247047' aria-label='Share' class='sharing-button touch-icon-button flat-button ripple' id='sharing-button-Blog1-byline-4090579089250247047' role='button'> Share </button> <div class='share-buttons-container'> <ul aria-hidden='true' aria-label='Share' class='share-buttons hidden' id='sharing-popup-Blog1-byline-4090579089250247047' role='menu'> <li> <span aria-label='Get link' class='sharing-platform-button sharing-element-link' data-href='https://www.blogger.com/share-post.g?blogID=4095952452479453750&postID=4090579089250247047&target=' data-url='https://errnote.blogspot.com/2019/07/apache2-apache-config-allow-iframes.html' role='menuitem' tabindex='-1' title='Get link'> <svg class='svg-icon-24 touch-icon sharing-link'> <use xlink:href='/responsive/sprite_v1_6.css.svg#ic_24_link_dark' xmlns:xlink='http://www.w3.org/1999/xlink'></use> </svg> <span class='platform-sharing-text'>Get link</span> </span> </li> <li> <span aria-label='Share to Facebook' class='sharing-platform-button sharing-element-facebook' data-href='https://www.blogger.com/share-post.g?blogID=4095952452479453750&postID=4090579089250247047&target=facebook' data-url='https://errnote.blogspot.com/2019/07/apache2-apache-config-allow-iframes.html' role='menuitem' tabindex='-1' title='Share to Facebook'> <svg class='svg-icon-24 touch-icon sharing-facebook'> <use xlink:href='/responsive/sprite_v1_6.css.svg#ic_24_facebook_dark' xmlns:xlink='http://www.w3.org/1999/xlink'></use> </svg> <span class='platform-sharing-text'>Facebook</span> </span> </li> <li> <span aria-label='Share to X' class='sharing-platform-button sharing-element-twitter' data-href='https://www.blogger.com/share-post.g?blogID=4095952452479453750&postID=4090579089250247047&target=twitter' data-url='https://errnote.blogspot.com/2019/07/apache2-apache-config-allow-iframes.html' role='menuitem' tabindex='-1' title='Share to X'> <svg class='svg-icon-24 touch-icon sharing-twitter'> <use xlink:href='/responsive/sprite_v1_6.css.svg#ic_24_twitter_dark' xmlns:xlink='http://www.w3.org/1999/xlink'></use> </svg> <span class='platform-sharing-text'>X</span> </span> </li> <li> <span aria-label='Share to Pinterest' class='sharing-platform-button sharing-element-pinterest' data-href='https://www.blogger.com/share-post.g?blogID=4095952452479453750&postID=4090579089250247047&target=pinterest' data-url='https://errnote.blogspot.com/2019/07/apache2-apache-config-allow-iframes.html' role='menuitem' tabindex='-1' title='Share to Pinterest'> <svg class='svg-icon-24 touch-icon sharing-pinterest'> <use xlink:href='/responsive/sprite_v1_6.css.svg#ic_24_pinterest_dark' xmlns:xlink='http://www.w3.org/1999/xlink'></use> </svg> <span class='platform-sharing-text'>Pinterest</span> </span> </li> <li> <span aria-label='Email' class='sharing-platform-button sharing-element-email' data-href='https://www.blogger.com/share-post.g?blogID=4095952452479453750&postID=4090579089250247047&target=email' data-url='https://errnote.blogspot.com/2019/07/apache2-apache-config-allow-iframes.html' role='menuitem' tabindex='-1' title='Email'> <svg class='svg-icon-24 touch-icon sharing-email'> <use xlink:href='/responsive/sprite_v1_6.css.svg#ic_24_email_dark' xmlns:xlink='http://www.w3.org/1999/xlink'></use> </svg> <span class='platform-sharing-text'>Email</span> </span> </li> <li aria-hidden='true' class='hidden'> <span aria-label='Share to other apps' class='sharing-platform-button sharing-element-other' data-url='https://errnote.blogspot.com/2019/07/apache2-apache-config-allow-iframes.html' role='menuitem' tabindex='-1' title='Share to other apps'> <svg class='svg-icon-24 touch-icon sharing-sharingOther'> <use xlink:href='/responsive/sprite_v1_6.css.svg#ic_more_horiz_black_24dp' xmlns:xlink='http://www.w3.org/1999/xlink'></use> </svg> <span class='platform-sharing-text'>Other Apps</span> </span> </li> </ul> </div> </div> </div> </div> </div> </div> </div> <section class='comments embed' data-num-comments='0' id='comments'> <a name='comments'></a> <h3 class='title'>Comments</h3> <div id='Blog1_comments-block-wrapper'> </div> <div class='footer'> <div class='comment-form'> <a name='comment-form'></a> <h4 id='comment-post-message'>Post a Comment</h4> <a href='https://www.blogger.com/comment/frame/4095952452479453750?po=4090579089250247047&hl=en&saa=85391&origin=https://errnote.blogspot.com&skin=notable' id='comment-editor-src'></a> <iframe allowtransparency='allowtransparency' class='blogger-iframe-colorize blogger-comment-from-post' frameborder='0' height='410px' id='comment-editor' name='comment-editor' src='' width='100%'>