Back in January of 2009, I announced IE8’s support for a new header-specified directive: X-Frame-Options, that can be used to mitigate ClickJacking attacks. As a declarative security measure, X-Frame-Options has minimal compatibility impact, but requires adoption by clients and servers in order to provide its security benefit. Since its introduction in IE8, we’ve seen a number of sites and other browsers adopt support for this directive as a mechanism to prevent malicious framing of content (called “ClickJacking” or “UI Redress” attacks), since frame-busting scripts can be defeated. You can determine if your browser supports the X-Frame-Options directive using this test page. When permission to frame is denied, some browsers (e.g. Combating ClickJacking With X-Frame-Options - EricLaw's IEInternals
X-Frame-Options Originally invented by Microsoft for IE8, but supported by a number of browsers, this idea might have more uses than what it was intended for originally. Let's have a bit deeper a look at what it is and how we can use it. What is it good for? Originally is was intended as a way to prevent clickjacking. X-Frame-Options something web developers should know
Adoption of X-FRAME-OPTIONS Header Late 2008, Jeremiah Grossman and Robert Hansen publicized the clickjacking problem and got the web app security experts all trying to come up with solutions. One of the more viable solution is the X-FRAME-OPTIONS header that allow a site to control whether its content can be within a frame. There are two settings to this header, DENY blocks the content from being in a frame and SAMEORIGIN only allows the content to be framed by pages within the same origin. While it is not the end all and be all of clickjacking solution and won't work in some sites that extensively use frames across multiple sites, it is considered as a more reasonable approach for sites to protect their own content.
As we planned Internet Explorer 8, our security teams analyzed the common attacks in the wild and the trends that suggest where attackers will be focusing their attention next. Over the course of IE8’s development, we’ve also worked closely with those in the security research community to stay on top of new classes of threats. One of the most subtle and interesting web application security vulnerabilities is called Cross Site Request Forgery (CSRF); security researcher Jeremiah Grossman calls CSRF “the sleeping giant” of web vulnerabilities. As Jeremiah notes, preventing CSRF attacks is hard because there’s generally no easy fix. IEBlog : IE8 Security Part VII: ClickJacking Defenses