Forum Discussion
Inserting multiple values for the same HTTP Header
Hi,
I'm trying to insert 2 values for the HTTP header X-Frame-Options and wasn't sure what the correct syntax is. The following doesn't seem to work:
when HTTP_RESPONSE { HTTP::header insert "X-Frame-Options" "SAMEORIGIN" HTTP::header insert "X-Frame-Options" {ALLOW-FROM https://test.com} }
What's the correct syntax to accomplish this?
Thanks.
- crodriguezRet. Employee
Per RFC 7034 HTTP Header Field X-Frame-Options:
The header field name is: X-Frame-Options There are three different values for the header field. These values are mutually exclusive; that is, the header field MUST be set to exactly one of the three values.
I interpret that to mean you can't specify multiple X-Frame-Options headers to achieve a combination of options. My guess is that, even if you did specify multiple X-Frame-Options headers in the response, only one will ever be honored by the browser, and the only question is which one - the first or the second - since they are mutually exclusive.
I'm not an expert but I've seen some articles that indicate you might be able to do this with the Content-Security-Policy frame-ancestors directive, which does support multiple origins.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com