X-Frame-Options: ALLOW-FROM in firefox and chrome
I'm implementing a "pass-through" for X-Frame-Options to let a partner site wrap my employer's site in an iframe, as per this article: http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx (splitting up URLS to post) In a nutshell, our partner's page has an iframe with an URL against our domain. For any page in our domain, they'll add a special url argument like &@mykey=topleveldomain.com , telling us what the page's top level domain is. Our filters pick up the partner TLD, if provided, from the URL, and validate it against a whitelist. If it's