It seems like you are trying to set the X-Frame-Options header twice in your HTTP response. One of them has the default value "SAMEORIGIN" and the other one has the value "allow-from example.com". This is not allowed, as each header can only be set once in an HTTP response.
To set the X-Frame-Options header with the value "allow-from example.com", you should remove the other header that has the default value. You can do this by modifying the server-side code that generates the HTTP response.
If you are using CloudHub with a DLB (Dedicated Load Balancer), you may need to modify the configuration of the DLB to set the X-Frame-Options header correctly. You should consult the documentation of CloudHub and DLB to find out how to do this.
Also, note that the "allow-from" directive for X-Frame-Options has been deprecated and is no longer supported by some browsers. You should consider using the Content-Security-Policy (CSP) header with the "frame-ancestors" directive instead.
try this
Content-Security-Policy: frame-ancestors example.com;
This header allows the web page to be displayed within an iframe only if the origin of the iframe is example.com.
3 réponses
