Move X-Frame-Options ALLOW-FROM wiki page here

helmetjs · Jan 10, 2025 · 646fd5c · 646fd5c
1 parent 8b5eba6
commit 646fd5c
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/content/faq/_index.md b/content/faq/_index.md
@@ -14,4 +14,5 @@ title: "Frequently asked questions (FAQ)"
 - [How do I set a custom `X-Powered-By` header?]({{< ref "faq/custom-x-powered-by" >}})
 - [How do I disable blocking with the `X-XSS-Protection` header?]({{< ref "faq/x-xss-protection-disable-blocking" >}})
 - [How do I enable the `report` directive with the `X-XSS-Protection` header?]({{< ref "faq/x-xss-protection-report-directive" >}})
+- [How do I use `X–Frame–Options`'s `ALLOW–FROM` directive?]({{< ref "faq/x-frame-options-allow-from-directive" >}})
 - [Who made Helmet?]({{< ref "faq/contributors" >}})
diff --git a/content/faq/x-frame-options-allow-from-directive.md b/content/faq/x-frame-options-allow-from-directive.md
@@ -0,0 +1,15 @@
+---
+title: How do I use X–Frame–Options's "ALLOW–FROM" directive?
+---
+
+The `X-Frame-Options` header has a directive, `ALLOW-FROM`, which is obsolete. It has [limited browser support](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options#Browser_compatibility) and is improved by the [`frame-ancestors` Content Security Policy directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors). To quote MDN: "don't use it."
+
+If you *need* to set this directive value for some reason, you can create your own small middleware function. Here's what that might look like:
+
+```js
+// NOTE: `ALLOW-FROM` is not supported in most browsers.
+app.use((req, res, next) => {
+  res.setHeader("X-Frame-Options", "ALLOW-FROM https://example.com");
+  next();
+});
+```