[jimktrains2]

As for XFO, I specifically said that that was my opinion and my experience. I even give a specific example: adding reddit.com/ before the domain of hackernews, for instance, won't let reddit put it in a frame (in order to put the reddit toolbar above it). I've only ever encountered tools such as that breaking because of XFO.

Also, it's my user-agent, it's suppose to do what _I_ want it to do, not what the content author wants it to do, and I can't find a way to disable honoring XFO.

For CSP, one example of a larger problem would be excepting and storing unsanitized input. If it's going out to the user as (otherwise executable) javascript, are there other places that you're placing unescaped user-submitted data that could be an issue (a sql statement perhaps or the API to a site who trusted you to sanitize things (although they shouldn't)?).