X-Frame-Options

The X-Frame-Options HTTP header field protects pages against clickjacking attacks by allowing sites to opt-out of being embedded in cross-origin (or any) contexts.

Specification

Established standard

Status in Chromium

Blink components: Blink

Enabled by default in:

• Chrome for desktop release 4
• Chrome for Android release 4
• Chrome for iOS release 4
• Android WebView release 4
• Opera release 4
• Opera for Android release 4

Consensus & Standardization

• Firefox: Shipped
• Edge: Shipped
• Safari: Shipped
• Web Developers: Positive

Owner

• mkwst@chromium.org

Last updated on 2017-06-14