Following up on bug 872531 It appears that the dependent bug for re-enabling XFO has been resolved (bug 852720). We should be able to set X-Frame-Options back to SAMEORIGIN once carriers roll out v1.1hd . Unfortunately, this will break support for v1.0.0 and v1.0.1 FxOS phones.

David: How long do we need to support v1.0.0 and v1.0.1 phones?

I will try to get info on the plans for this from the Firefox OS team and what they forecast. I am not sure I understand the implications of the bug.

I suspect enabling this would mean any users on one of those devices would receive a technical (read: not one we write) error message and the marketplace would fail to load until they upgraded their phone. We'd have to try it to be sure though.

Data suggests that the switchover to 1.1 is just starting with 1.0 devices about 80% of the market. I am not sure if all users will be offered the opportunity to upgrade and when this will happen. So, unfortunately, for the foreseeable future, we need to support 1.0, but this depends on what the OEMs do push push out upgrades as new phones have 1.0.

I mean new phones have 1.1.

I have created an automated alert for me when the 1.0 devices drop below 2000 device visits per day. And we will see from there.

david - great, thanks. Marking this P5 and assigning to David so it doesn't keep coming up in triage.

Hmmm i think js frame busters are more efficient than XFO, Just a JS code to verify if the parent/origin is allowed to iframe the marketplace or not. What's your opinion ?! <script type="text/javascript"> if (self === top) { var antiClickjack = document.getElementById("antiClickjack"); antiClickjack.parentNode.removeChild(antiClickjack); } else { top.location = 'Your_Website_URL_Here'; } </script> or <script type="text/javascript"> // Disable frame hijacking if (top != self) top.location.href = location.href; </script>