We have a website which has pages that contains multiple frames from different sources. To illustrate, the page home.html has 3 frames which content is loaded from 3 different sites : a.com, b.com and c.com. I want to prevent "XFS vulnerability / X-Frame-Options parameter" I would like to use XFrameOptions with ALLOW-FROM option.
Can I set the XFrameOptions several times or can I set several ALLOW-FROM options to block the modification of the sources ?
We've tried to set several values to ALLOW-FROM, but we get the following message in the Web Agent logs :
[Thu Jul 20 2017 13:15:56][CSmHttpPluginConfig.cpp:2646][ERROR][sm-HTTPAgent-00340]
Invalid configuration: 'xframeoptions' has been specified more than once; using default value.
You cannot use several times the parameter XFrameOptions nor set multiple values to ALLOW-FROM option. And this is a limitation described by the RFC 7034 :
18.104.22.168. Usage Design Pattern and Example Scenario for the ALLOW-FROM
"As the "ALLOW-FROM" field only supports one serialized-origin,[...]"
You'll note that the usage of wildcards is prohibited too :
"Wildcards or lists to declare multiple domains in one
ALLOW-FROM statement are not permitted (see Section 22.214.171.124). "
Help Prevent Attacks