I am having some issues setting security policies for my UI which can be framed by more than one site. I am setting CSP policy with multiple frame ancestors. Adding XFrame option is mandated so if I leave it empty the parent class rendering all UIs will add XFO SAMEORIGIN which contradicts with CSP frame ancestors.
One option is to use ALLOWALL but that is not supported widely. Is there any other way I can set an X Frame Option but allow from multiple Uris?
If you supply an invalid value, X-Frame-Options will basically be ignored allowing this to fallback to the frame ancestors you are providing.
Since it can be any value, have fun: