Web Content Security Policy

Support for xFrames and Content-Security-Policy

xFrame Option

Your options are

OFF (don’t include headers at all, everyone can put your site in an iframe)
SAMEORIGIN (Only the exact same domain can use iframes)
DENY (No one can put your site in an iframe) -or-
Specify any number of URLS that you’d like to use (which includes same domain in addition to what you specify).

The implementation works by using the more modern Content-Security-Policy HTTP header, but it still includes the X-Frame-Options HTTP header both to pass your PCI test and to support legacy browsers. Unfortunately, the X-Frame-Options HTTP header does not support specifying multiple domain names, so in that case older browsers will only be able to see iframes if they are from the same domain even if you specify multiple domains in Theatre Manager.

We are passing both Content-Security-Policy and X-Content-Security-Policy and using Content Security Policy 1.0 — this gives support in most browsers so the fallback issues are limited to a very small number of browsers.

Allowable URL's

When a list of allowable URL's is specified, enter the URL's that you want in this space, separated with a comma.

The technical meaning of the x-frame options are described in google searches.

Diataxis:

Reference