Development Discussion Board

[Posts]

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

https://developer.mozilla.org/en/the_x- ... nse_header

mediawiki is now using it:
https://bugzilla.wikimedia.org/show_bug.cgi?id=26561
http://lists.wikimedia.org/pipermail/me ... 00093.html

Browser compatibility
Browser Lowest version
Internet Explorer 8.0
Firefox (Gecko) 3.6.9 (1.9.2.9)
Opera 10.50
Safari 4.0
Chrome 4.1.249.1042

[Noxwizard]

I can see its usefulness, but it would definitely need to be an option on the Security section of the ACP. A non-trivial amount of board owners operate their sites in frames, so we wouldn't want to alienate the users who integrate it with their site this way.

[naderman]

Indeed, this is not something we can enforce for all boards. An option would be a possibility but if it's not important enough for us to enforce on all boards, why clutter the ACP with more options? And realistically how many admins would enable this? So I think my vote is a nay.