Advanced Customization > Business Logic Customization > ThingWorx > Adding a ThingWorx Mashup to Windchill > ThingWorx ClickJack Support > Header Descriptions
  
Header Descriptions
The two headers used to combat Clickjacking are X-Frame-Options and Content-Security-Policy.
The Content Security Policy Level 2, which contains frame-ancestors, is supported by the current version of all browsers except Internet Explorer, Edge, Opera Mini, and only partially supported as of Firefox 52. A full list can be found at: http://caniuse.com/#feat=contentsecuritypolicy2. The X-Frame-Options Allow-From header is supported in Internet Explorer as of version 8 and Firefox as of version 18, but is not supported by Chrome, Safari, or Opera. A list of supported browsers can be found at: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Limitations
X-Frame-Options
DENY - The page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN - The page can only be displayed in a frame on the same origin as the page itself.
ALLOW-FROM http://example.com - The page can only be displayed in a frame on the specified origin.
Content-security-policy
frame-ancestors ‘none’ - Prevents loading resources in a frame from any origin.
frame-ancestors ‘self’ - Allows loading resources in a frame but only from the same origin.
frame-ancestors domain1.com domain2.com - Allows loading resources in a frame but only from domains in the given list.