Forum Discussion
crodriguez
Oct 23, 2018Ret. Employee
Per RFC 7034 HTTP Header Field X-Frame-Options:
The header field name is:
X-Frame-Options
There are three different values for the header field. These values
are mutually exclusive; that is, the header field MUST be set to
exactly one of the three values.
I interpret that to mean you can't specify multiple X-Frame-Options headers to achieve a combination of options. My guess is that, even if you did specify multiple X-Frame-Options headers in the response, only one will ever be honored by the browser, and the only question is which one - the first or the second - since they are mutually exclusive.
I'm not an expert but I've seen some articles that indicate you might be able to do this with the Content-Security-Policy frame-ancestors directive, which does support multiple origins.