Header Descriptions
The two headers used to combat Clickjacking are X-Frame-Options and Content-Security-Policy.
The Content Security Policy Level 2, which contains
frame-ancestors, is supported by the current version of all browsers except Internet Explorer, Edge, Opera Mini, and only partially supported as of Firefox 52. A full list can be found at:
http://caniuse.com/#feat=contentsecuritypolicy2. The
X-Frame-Options Allow-From header is supported in Internet Explorer as of version 8 and Firefox as of version 18, but is not supported by Chrome, Safari, or Opera. A list of supported browsers can be found at:
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Limitations
X-Frame-Options
• DENY - The page cannot be displayed in a frame, regardless of the site attempting to do so.
• SAMEORIGIN - The page can only be displayed in a frame on the same origin as the page itself.
• ALLOW-FROM http://example.com - The page can only be displayed in a frame on the specified origin.
Content-security-policy
• frame-ancestors ‘none’ - Prevents loading resources in a frame from any origin.
• frame-ancestors ‘self’ - Allows loading resources in a frame but only from the same origin.
• frame-ancestors domain1.com domain2.com - Allows loading resources in a frame but only from domains in the given list.