Inserting multiple values for the same HTTP Header

Question

Hi,&nbsp;
I'm trying to insert 2 values for the HTTP header X-Frame-Options and wasn't sure what the correct syntax is. The following doesn't seem to work:&nbsp;
when HTTP_RESPONSE {
     HTTP::header insert "X-Frame-Options" "SAMEORIGIN"
     HTTP::header insert "X-Frame-Options" {ALLOW-FROM https://test.com}
}&nbsp;
What's the correct syntax to accomplish this?&nbsp;
Thanks.&nbsp;

crodriguez · Answer

Per RFC 7034 HTTP Header Field X-Frame-Options:
   The header field name is:

X-Frame-Options

There are three different values for the header field.  These values
   are mutually exclusive; that is, the header field MUST be set to
   exactly one of the three values.

I interpret that to mean you can't specify multiple X-Frame-Options headers to achieve a combination of options. My guess is that, even if you did specify multiple X-Frame-Options headers in the response, only one will ever be honored by the browser, and the only question is which one - the first or the second - since they are mutually exclusive.
I'm not an expert but I've seen some articles that indicate you might be able to do this with the Content-Security-Policy frame-ancestors directive, which does support multiple origins.

Forum Discussion

Inserting multiple values for the same HTTP Header

Recent Discussions

VIP needed for many UDP ports

Creating Policy using Terraform

Unable to get Internet in server using SWG forward Proxy.

ASM don't block attack XSS

AWAF ADD-ON MODULE

Related Content

iRule HTML Maintenance Page insert URI Value

Integrate BIG-IP with AWS CloudWAN Service Insertion

Multiple value seperator in saml Attribute

HTTPS Routing based on Client Certificates values with F5 Distributed Cloud

Multiple Ways to Configure Usage Reporting in NGINX

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS