Y
Hacker News
new
|
ask
|
show
|
jobs
by
sanqui
4102 days ago
You can serve an X-Frame-Options:"DENY" (or "SAMEORIGIN") header to prevent browsers from loading the iframes.
1 comments
sunflowerdeath
4102 days ago
But this is a response header, so server shoud respond and that is the goal of attack. Browser doesn't send any request headers saying that site is opened in the iframe.
link
sanqui
4102 days ago
Sure, but at least the browser won't render the page, so it won't download the additional content like images and scripts. It's partial mitigation.
link