X-Frame-Options is an HTTP response header that serves as a directive to a browser regarding if or how the current response would like itself to be framed. Framing and window positioning/layering tricks are used quite often in an attack called clickjacking in which a user is tricked into inadvertently clicking on something unintended. For more information see https://www.owasp.org/index.php/Clickjacking.
There are 3 options for X-Frame-Options-
- DENY. This tells the browser that the page should never be framed.
- SAMEORIGIN. This tells the browser that the page can be framed within a page that is from the same origin.
- ALLOW-FROM uri. This tells the browser that the page can be framed on the specified origin.
This site, for example, is set to SAMEORIGIN. So in effect, a page on this origin could be framed by another page in this origin.
This is supported by most newer browsers. Should a site attempt to frame a site and it violates the site policy, it will either display about:blank in the frame or perhaps an error. If a browser doesn’t support the header, it will simply ignore it.