This option is now obsolete and if you use it NO iframe blocking occurs so this is dangerous to have present.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
ALLOW-FROM uri – This is an obsolete directive that no longer works in modern browsers. Don’t use it. In supporting legacy browsers, a page can be displayed in a frame only on the specified origin uri. Note that in the legacy Firefox implementation this still suffered from the same problem as SAMEORIGIN did — it doesn’t check the frame ancestors to see if they are in the same origin. The Content-Security-Policy HTTP header has a frame-ancestors directive which you can use instead.
I create an account (very tricky) but could not post on the forum.
Thanks
Jon