Forum Discussion

Randell_375239's avatar
Randell_375239
Icon for Nimbostratus rankNimbostratus
Oct 23, 2018

Inserting multiple values for the same HTTP Header

Hi,

 

I'm trying to insert 2 values for the HTTP header X-Frame-Options and wasn't sure what the correct syntax is. The following doesn't seem to work:

 

when HTTP_RESPONSE { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" HTTP::header insert "X-Frame-Options" {ALLOW-FROM https://test.com} }

 

What's the correct syntax to accomplish this?

 

Thanks.

 

1 Reply

  • Per RFC 7034 HTTP Header Field X-Frame-Options:

       The header field name is:
    
          X-Frame-Options
    
       There are three different values for the header field.  These values
       are mutually exclusive; that is, the header field MUST be set to
       exactly one of the three values.
    

    I interpret that to mean you can't specify multiple X-Frame-Options headers to achieve a combination of options. My guess is that, even if you did specify multiple X-Frame-Options headers in the response, only one will ever be honored by the browser, and the only question is which one - the first or the second - since they are mutually exclusive.

    I'm not an expert but I've seen some articles that indicate you might be able to do this with the Content-Security-Policy frame-ancestors directive, which does support multiple origins.