search cancel

Does XFrameOptions ALLOW-FROM accept multiple values ?


Article ID: 15186


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


We have a website which has pages that contains multiple frames from different sources. To illustrate, the page home.html has 3 frames which content is loaded from 3 different sites :, and I want to prevent "XFS vulnerability / X-Frame-Options parameter" I would like to use XFrameOptions with ALLOW-FROM option.

Can I set the XFrameOptions several times or can I set several ALLOW-FROM options to block the modification of the sources ?


We've tried to set several values to ALLOW-FROM, but we get the following message in the Web Agent logs :


[Thu Jul 20 2017 13:15:56][CSmHttpPluginConfig.cpp:2646][ERROR][sm-HTTPAgent-00340]

Invalid configuration: 'xframeoptions' has been specified more than once; using default value.



Component: SMAPC


You cannot use several times the parameter XFrameOptions nor set multiple values to ALLOW-FROM option. And this is a limitation described by the RFC 7034 : Usage Design Pattern and Example Scenario for the ALLOW-FROM 



"As the "ALLOW-FROM" field only supports one serialized-origin,[...]" 


You'll note that the usage of wildcards is prohibited too : 


"Wildcards or lists to declare multiple domains in one

 ALLOW-FROM statement are not permitted (see Section " 


Additional Information

Help Prevent Attacks

Ensure Agent Responses Comply with X-Frame-Options