I've been trying to find the answer to this but haven't been able to find anything definitive. For X-Frame-Options, it seems there is only limited support for the 'Allow-From' option which allows you to whitelist a URL which can embed your site in an iFrame (based on http://caniuse.com/#feat=x-frame-options where the browsers with the yellow coloured blocks are those which do not support the 'Allow-From' option).
I want to whitelist a 3rd party site's URL which is loading my site in an iFrame specifically on Safari on iOS (for whatever reason, this is not the case on any other mobile or desktop browser). What I'm not sure of is the fallback behaviour when using 'Allow-From'; on browsers that don't support it. Is it safe to use it or could it cause a security risk based on the fallback behaviour being unpredictable?
Grateful for any pointers.
Clients which do not support it will ignore it, there is nothing more into it and there is no fallback or midle term.
I would recommend you to use CSP (Content Security Policy) which has a wider scope of client-browsers that support it and allow for much more specific settings.