One of the security enhancements included with Firefox 3.6.9 is support for the x-frame-options header. This optional header can be included within the HTTP response to instruct the client’s browser on whether the returned content is allowed to be framed by other pages.
A website can choose to include the x-frame-options header to protect against malicious framing of web content by third parties. For example a malicious site might frame a website from another domain and surround the framed site with advertisements. Alternatively, a malicious site could use a CSS layer attack called ClickJacking to trick users into performing unintended actions within the framed website that is obscured by overlaid CSS layers.
The x-frame-options header supports the following values:
SAMEORIGIN – allows only sites from the same domain to frame the page
DENY – prevents any site from framing the page
Additional Reading:
Mozilla Developer Network article
Microsoft Developer Network article
OWASP Clickjacking Article
Michael Coates
Web Security
Ken Saunders wrote on
Ian Macfarlane wrote on
Daniel Veditz wrote on
Eric Lawrence [MSFT] wrote on