This web page tests your browser's x-frame-options support. The X-frame-options header decides whether if another web page can put a given page (with the header) in an iframe. This is commonly used as a defense against clickjacking.
Please note that X-Frame-Options will eventually be replaced by the frame-ancestors directive in Content Security Policy v2.
Results for you current browser:| Deny: | Expected: 1 green check (or empty) | ||
|---|---|---|---|
| SameOrigin: | Expected: 2 green checks (or 1 green check and one empty) | ||
| Allow-from: | Expected: 2 green checks (or 1 green check and one empty) | ||
Handling of non-standard values. According to spec only one value is allowed. What happens if there are two? (Thank you to Alexander Forbes for the idea) | |||
| Deny,Deny: | Green check (or empty) | ||
| Deny,sameorigin + sameorigin,deny: | Two green checks (or empty) | ||
| sameorigin,allow-from + allow-from,sameorigin: | Two green checks (or empty) | ||
| Deny,allow-from + allow-from,deny: | Two green checks (or empty) | ||
| Edge |  |
|---|---|
| IE11 on winphone | (thank you, Chris) |
| IE11 | (thank you, Pedro Laguna) |
| IE10 | |
| IE9 | |
| Firefox 18- | |
| Dolphin 11.4.3 Android |  fails on allow-from (thank you, Peter Carter) |
| Chrome 57 | fails on allow-from (thanks, Greg) |
| Safari 10.0.1 | fails on allow-from |
| Opera 26 | fails on allow-from |
| IE8 | fails on allow-from |
| IE7 | header is not supported, so fails on deny, sameorigin and allow-from |
| IE6 | header is not supported, so fails on deny, sameorigin and allow-from |
| Firefox 17 | fails on allow-from |