I have one URL https://xyz.mydomain.com/app1/ and app1 is based on spring framework, I want to access this webapp from:
- xyz1.mydomain.com,
- xyz2.mydomanin.com
and also in future this can be accessible from:
*.mydomain.com
I have tried with CSP but its working on from Chrome and Firefox only and it's not working on IE 11.
IE11 doesn't understand CSP. X-Frame-Options ALLOW-FROM is only designed for a single domain.
Basically your options would be:
- Don't care about adding security for the tiny fraction of users still using an outdated browser lacking modern security standards. Just implement CSP and drop X-Frame-Options.
- Test hacks to X-Frame-Options such as adding the header multiple times or insert multiple domains all with a trailing slash.
- Set X-Frame-Options in code based on a whitelist of acceptable domains.