We should implement X-Frame-Options to help sites defend against ClickJacking. Here is a blog post describing the feature:
I'm not sure this completely solves the ClickJacking problem, but it certainly does more good than harm. I can ask Eric Lawrence for a more detailed design doc if we want to make sure we match IE's behavior.
Here is the Mozilla bug on this topic:
dveditz seems similarly positively disposed to implementing this feature.
This seems to be done in http://trac.webkit.org/changeset/42333
Indeed. I didn't remember this bug when I implemented it. My bad.
The current implementation of X-Frame-Options is not complete!
IE8+ also supports ALLOW-FROM origin:
Are there are plans to implement this in webkit?
X-Frame-Options is currently working its way though the IETF. I expect we'll implement whatever the final standard says, but it's not entirely clear what that will be at the moment. Thanks for your interest.