X-FRAME-OPTIONS -- Am I missing something?
Has anyone seen this?
Clickjacking Protection Using X-FRAME-OPTIONS Available for Firefox
I ran across this blog entry at SANS:
But to me it seems like a big failure, unless I'm missing something.
1) As a malicious user you could simply remove this tag via a personal proxy, adblock rule, etc.
It's supposed to stop CSRF but if you can remove it from the page/frame how does it protect anything?