Content-Security-Policy (CSP) workaround for internet explorer
The solution recommended by Microsoft is the following:
- internally, whitelist domain1.com and domain2.com
- when embedding your iframe URL, add a parameter in the URL that specify the origin: iframe src="http://example.org/frame.html?origin=http://domain1.com"
- on your server, check if the origin value is whitelisted. Use it to set X-Frame-Options: ALLOW-FROM http://domain1.com
You could also check the Referer header if it is present.
Internet Explorer 8 through 11 only supports X-Frame-Options, and you can use the ALLOW-FROM value. Specify the URLs for your iframes there.
Please keep in mind only the latest Internet Explorer browsers support X-Content-Security-Policy.
X-Frame-Options is being superceded by Content-Security-Policy, but as you say, not all browsers fully support Content-Security-Policy yet.
You say you're intentionally removing X-Frame-Options, but you shouldn't. That is supported by Internet Explorer, so if you use it in addition to Content-Security-Policy, you will get the same effect across a wider range of browsers.
See X-Frame-Options documentation here, which includes a mention of IE support: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options