|Join hundreds of other Developers and InfoSec professionals for Training, Sessions and Community at our first conference of 2019|
[AppSec Tel Aviv, May 26-30th]
Hi Riramar, this is ADHTB. You're right about X-Frame-Options header directive ALLOWALL, it is defined almost nowhere. It was initially set up on some servers to make the directive invalid and thus allow the websites to be framed from any other origin. As a consequence Mozilla (and apparently Microsoft too) decided to make it "valid" (to remove warnings from console): https://bugs.webkit.org/show_bug.cgi?id=110857 My goal here was to mention that somehow, and in my own opinion, it is better to have an explicit value than an implicit default value. However as it is my own opinion, I won't blame you if you revert my change because you disagree (as it is right it is defined in no RFC or other "official" document) :).