Has anyone seen this?

Clickjacking Protection Using X-FRAME-OPTIONS Available for Firefox

I ran across this blog entry at SANS:

But to me it seems like a big failure, unless I'm missing something.

1) As a malicious user you could simply remove this tag via a personal proxy, adblock rule, etc.
2) Couldn't you use javascript to load the page/object in a frame and strip this tag out? I'm sure javascript has the ability to request/filter content. (I'm thinking XMLHttpRequest, etc)

It's supposed to stop CSRF but if you can remove it from the page/frame how does it protect anything?