Hacker News new | ask | show | jobs
by ishener 3906 days ago
but the request has already been sent. Yes, the browsers will respect this header and not display the page and not run javascript, BUT what if the user tracking is done on the server in the first request? In that case, this technique might work...
1 comments
orf 3906 days ago
I assume they make a preflight HEAD request the same as CORS, in which case they would have to be very sloppy to make that count towards the stats.
link
realityking 3906 days ago
Nope. There's no preflight for X-Frame-Options, as it was designed as a click jacking prevention.
link