Yoav Nir is the Document Shepherd. Barry Leiba is the Responsible
This informational document serves to document the existing use and
specification of this X-Frame-Options HTTP response header field.
To improve the protection of web applications against Clickjacking,
this specification describes the X-Frame-Options HTTP response
header field that declares a policy communicated from the server to
the client browser on whether the browser may display the transmitted
content in frames that are part of other web pages.
Review and Consensus
In 2009 and 2010 many browser vendors introduced the use of a non-
standard HTTP header field "X-Frame-Options" to protect against
Clickjacking. There have been differences between the various
implementations which may cause security and interoperability
concerns. This draft has been produced as informational by the websec
working group to document the current use and also to function as a
baseline for the future unified standard as part of the currently
produced Content Security Policy 1.1 (by WebAppSec at the W3C) - and
to get rid of the deprecated "X-" (see RFC6648).
The review process took sufficient time and involved a medium amount
of people with deep browser security knowledge. During the review
process no major controversies came up, which is not too surprising
as the draft is intended as informational and documenting.
Each author has confirmed conformance with BCPs 78 and 79.
Tobias confirmed. David has also confirmed.