X-Frame-Options
is deprecated. From MDN:
This feature has been removed from the Web standards. Though some browsers may still support it, it is in the process of being dropped. Do not use it in old or new projects. Pages or Web apps using it may break at any time.
The modern alternative is the Content-Security-Policy
header, which along many other policies can white-list what URLs are allowed to host your page in a frame, using the frame-ancestors
directive.
frame-ancestors
supports multiple domains and even wildcards, for example:
Content-Security-Policy: frame-ancestors 'self' example.com *.example.net ;
Unfortunately, for now, Internet Explorer does not fully support Content-Security-Policy.
UPDATE: MDN has removed their deprecation comment. Here’s a similar comment from W3C’s Content Security Policy Level
The
frame-ancestors
directive obsoletes theX-Frame-Options
header. If a resource has both policies, theframe-ancestors
policy SHOULD be enforced and theX-Frame-Options
policy SHOULD be ignored.