Im trying to set the ALLOWED-FROM in Nginx but all settings I tried so far resulted in the following Chrome error:
Invalid 'X-Frame-Options' header encountered when loading 'https://domain.com/#/register': 'ALLOW-FROM domain.com' is not a recognized directive. The header will be ignored.
This options I tried are those: (tried also with FQDN with https:// prefix)
add_header X-Frame-Options "Allow-From domain.com";
add_header X-Frame-Options "ALLOW-FROM domain.com";
add_header X-Frame-Options "ALLOW-FROM: domain.com";
add_header X-Frame-Options "Allow-From: domain.com";
add_header X-Frame-Options ALLOW-FROM "domain.com";
add_header X-Frame-Options ALLOW-FROM domain.com;
in Chrome and Safari you need to use Content-Security-Policy
Content-Security-Policy: frame-ancestors domain.com
You can check more details on this site:
https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives