X-Frame-Options can be used to deal with clickjacking. Currently, the following browsers have begun to support X-Frame-Options:
- IE 8+
- Opera 10.50+
- Safari 4+
- Firefox3.6.9 (or earlierwithNoScript)
It has three optional values:
When the value is DENY, the browser will refuse to load any frame page to the current page; when the value is SAMEORIGIN, the frame page is only the address of the homology domain page; when the value is ALLOW-FROM, the frame page can be defined to allow the frame to be loaded.
In addition to X-Frame-Options, Firefox’s Content Security Policy and NoScript extension can effectively defend against clickjacking. All these programs provide us with multiple choices.