"If the evil website runs in IE7 compatibility mode, then so does yours!" Braun said. If your website would not allow itself to be framed by using X-Frame-Options, your IE users wouldn't be at risk, he said.
Another technique that involves the window.name attribute could be used to bypass certain restrictions and more easily execute XSS (cross-site scripting) attacks when a site is loaded into a frame, the Mozilla security engineer said.
Braun recently published with another researcher a paper on X-Frame-Options that covers many attacks the header can prevent in detail.
"These and many other attacks are possible if you allow your web page to be displayed in a frame," Braun said in the Mozilla blog post. "The fact that many other sites are vulnerable to these sort of attacks is not a good reason to leave your website unprotected. You can easily address many security problems by just adding this simple header to your web application right away."
The Mozilla developers site includes information on how to configure X-Frame-Options on the Apache and Nginx Web servers and Braun's blog post contains links to instructions on how to enable the header on Web frameworks like Django and NodeJS.
Sign up for CIO Asia eNewsletters.