{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Explosion°爆炸 的问题《How useful is the X-Frame-Options header in protec》','https://www.manongdao.com/q-312057.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Adding the X-Frame-Options DENY to the response header helps protect against malicious framing of the web page and as a solution it's certainly better that client-side JavaScript solutions.
But just how useful is it? Is is supported by all (modern) browsers and can it be bypassed by hackers intent on hijacking your site?
EricLaw's page maintains a list of supporting browsers.
Current verions of the major desktop browsers all support it; older versions and niche and some mobile browsers don't. So you will probably want to include an anti-framing
<script>as well, to settop.location(and remove the page content first in case of anti-frame-busting; see this question for why).You might prefer the script approach to
X-Frame-Optionswhen you want to selectively allow framing.X-Frame-Optionsdoes not permit ‘whitelisting’, so you can't eg allow Google Images traffic but not others.Either way, IE6-7 will still allow attackers to frame your page and disable the frame-buster. Unfortunately the questionable
<iframe security>attribute existed beforeX-Frame-Options. You could try adding<base target="_top">to try to make any navigation break out traditional framing (or just not work, in the presence of anti-frame-busters), but this can't help you against invisible-iframe-overlay attacks.