Reputational risk was also seen in simply having a reputable website embedded within a frameset of an attacker’s site. Having a high profile website embedded within a malicious website is not desirable for any organization. The framekiller code above became popular for many high profile websites. Unfortunately, many techniques were shown to disable the framekiller code. This quickly became a war of framekiller killers and so on.
X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM www.example.com
Recently there has been some effort to add a Content Security Policy (CSP) directive to CSP 1.1 specifying a ‘frame-options’ directive which would supersede the XFO header, however this is not yet built into the specification. For now (July 2013), we should continue to use X-Frame-Options to restrict malicious framing. It is strongly recommended the ‘DENY’ directive be set as not all browsers fully support XFO options such as ‘ALLOW-FROM’.