diff --git a/CHANGELOG b/CHANGELOG
index aa62a48c1..1210d259a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -17,6 +17,7 @@ CHANGELOG Roundcube Webmail
 - Fix compatibility with MySQL 8 - error on 'system' table use
 - Managesieve: Fix bug where show_real_foldernames setting wasn't respected (#6422)
 - New_user_identity: Fix %fu/%u vars substitution in user specific LDAP params (#6419)
+- Fix support for "allow-from <uri>" in "x_frame_options" config option (#6449)
 
 RELEASE 1.4-beta
 ----------------
diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index edc715ae0..e3cca6e59 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -588,7 +588,7 @@ EOF;
         // allow (legal) iframe content to be loaded
         $iframe = $this->framed || $this->env['framed'];
         if (!headers_sent() && $iframe && ($xopt = $this->app->config->get('x_frame_options', 'sameorigin'))) {
-            if (strtolower($xopt) != 'sameorigin') {
+            if (strtolower($xopt) === 'deny') {
                 header('X-Frame-Options: sameorigin', true);
             }
         }