'Is X-Frame-Options ALLOW-FROM really deprecated?

I am not sure about the exact status of this HTTP header. Some source - for instance Mozilla or Caniuse - clearly indicate that this header has been removed since the version 70 of Firefox, and has been replaced by Content-Security-Policy: frame-ancestors.

Despite of that, I can see that X-Frame-Options: ALLOW-FROM myServerURI is still working : using Firefox 75, I clearly see that setting this header or not server side has still an impact on an iFrame : the inner content is allowed or is blocked when the header is present or not.

Examining the server's response headers using Firefox F12 / Web developer tools, Network, Headers clearly shows the presence of this header and the impact on the result. In this situation, there is also a Content-Security-Policy header present, but without the frame-ancestors directive.

firefoxiframehttp-headers


Solution 1:[1]

Something must be wrong with your test.

When I try using it in Firefox 75, I get an error in the console:

Invalid X-Frame-Options: “ALLOW-FROM http://www.example.com/” header from “http://localhost:7007/” loaded into “http://localhost:8080/”.

… and the content is displayed in the frame even though the iframe is hosted on http://localhost:8080/ and not http://www.example.com/

Solution 2:[2]

ALLOW-FROM value for X-Frame-Options header is obsolete now and not supported by new browsers. Refer this link for valid possible values : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Quentin
Solution 2 Abhas Bhoi

Related Questions

Hide scroll bar, but while still being able to scroll

How to set Selenium Python WebDriver default timeout?

setUp method: Failed to connect to binary FirefoxBinary(/usr/bin/firefox) on port 7055; process output follows:

How to manually send HTTP POST requests from Firefox or Chrome browser

Adding items in DOM with jQuery without browser scrollbar update

Is there a workaround for Firefox 5 and Chrome ”setInterval()” and “setTimeout()” in inactive tab

Borders not shown in Firefox with border-collapse on table, position: relative on tbody, or background-color on cell

Saving ArrayBuffer in IndexedDB

Unable to connect to host 127.0.0.1 on port 7055 after 45000 ms. with FF version 26.0 and selenium standalone jar 2.39

Selenium 3 compatibility issue with FireFox 50? Can't get any iframe

Loadrunner 12 - TruClient IE & FireFox Issues

How to increase local storage space to unlimited for a firefox add-ons?

Wrong value for window.innerWidth during onload event in Firefox for Android?

How to disable scroll on HTML5 date inputs having a webshim fallback in

AttributeError: 'module' object has no attribute 'Firefox'