I get this question a lot — especially from people building iframe-based components with zoid. The question is “how do I whitelist multiple domains with X-FRAME-OPTIONS?” The answer is pretty simple (and it works for any iframe): have the client pass along the domain when you create the iframe! Here’s an example. First, on the client, let’s create our iframe, and pass along the domain: // Set up..