We have a website which has pages that contains multiple frames from different sources. To illustrate, the page home.html has 3 frames which content is loaded from 3 different sites : a.com, b.com and c.com. I want to prevent "XFS vulnerability / X-Frame-Options parameter" I would like to use XFrameOptions with ALLOW-FROM option.

Can I set the XFrameOptions several times or can I set several ALLOW-FROM options to block the modification of the sources ?

We've tried to set several values to ALLOW-FROM, but we get the following message in the Web Agent logs :

[Thu Jul 20 2017 13:15:56][CSmHttpPluginConfig.cpp:2646][ERROR][sm-HTTPAgent-00340]

Invalid configuration: 'xframeoptions' has been specified more than once; using default value.

You cannot use several times the parameter XFrameOptions nor set multiple values to ALLOW-FROM option. And this is a limitation described by the RFC 7034 : 

2.3.2.3. Usage Design Pattern and Example Scenario for the ALLOW-FROM 

Parameter

"As the "ALLOW-FROM" field only supports one serialized-origin,[...]" 

You'll note that the usage of wildcards is prohibited too : 

"Wildcards or lists to declare multiple domains in one

 ALLOW-FROM statement are not permitted (see Section 2.3.2.3). "

https://tools.ietf.org/html/rfc7034 

Help Prevent Attacks

Ensure Agent Responses Comply with X-Frame-Options