General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The current feature release of phpBB 3 is 3.3/Proteus.
Forum rules Please do not post support questions regarding installing, updating, or upgrading phpBB 3.3.x. If you need support for phpBB 3.3.x please visit the 3.3.x Support Forum on phpbb.com.
If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
I can see its usefulness, but it would definitely need to be an option on the Security section of the ACP. A non-trivial amount of board owners operate their sites in frames, so we wouldn't want to alienate the users who integrate it with their site this way.
Indeed, this is not something we can enforce for all boards. An option would be a possibility but if it's not important enough for us to enforce on all boards, why clutter the ACP with more options? And realistically how many admins would enable this? So I think my vote is a nay.