Does XFrameOptions ALLOW-FROM accept multiple values ?

Document ID : KB000015186
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

We have a website which has pages that contains multiple frames from different sources. To illustrate, the page home.html has 3 frames which content is loaded from 3 different sites : a.com, b.com and c.com. I want to prevent "XFS vulnerability / X-Frame-Options parameter" I would like to use XFrameOptions with ALLOW-FROM option.

Can I set the XFrameOptions several times or can I set several ALLOW-FROM options to block the modification of the sources ?

 

We've tried to set several values to ALLOW-FROM, but we get the following message in the Web Agent logs :

 

[Thu Jul 20 2017 13:15:56][CSmHttpPluginConfig.cpp:2646][ERROR][sm-HTTPAgent-00340]

Invalid configuration: 'xframeoptions' has been specified more than once; using default value.

 

Answer:

You cannot use several times the parameter XFrameOptions nor set multiple values to ALLOW-FROM option. And this is a limitation described by the RFC 7034 : 

 

2.3.2.3. Usage Design Pattern and Example Scenario for the ALLOW-FROM 

Parameter

 

"As the "ALLOW-FROM" field only supports one serialized-origin,[...]" 

 

You'll note that the usage of wildcards is prohibited too : 

 

"Wildcards or lists to declare multiple domains in one

 ALLOW-FROM statement are not permitted (see Section 2.3.2.3). "

 

https://tools.ietf.org/html/rfc7034 

 

Additional Information:

Help Prevent Attacks

Ensure Agent Responses Comply with X-Frame-Options