I have a small issue with X-FRAME-Options HTTP headers.
I have a X-FRAME header that states:
Header always append X-Frame-Options SAMEORIGIN
I have found a site that links (in a frame) back to my site, and this just shows a blank page, which is what's expected. But I would like ideally to be able to serve a placeholder page explaining to the end use that my site can not be viewed in other peoples frames.
Rather like people who hotlink images can be served a denial/placeholder image.
I have found here some guides for this sort of thing but this uses Java and my server is LAMP.
Can I setup outputting a default web page for non-SameOrigin pages that call my website via frames? There is nothing about this in the RFC.
No you can't do this.
The only way I could think to do this would be by removing that header for that particular page and then perhaps using some JavaScript to redirect if it confirms it's not the top page. That has its own risks though (such as for users who disable javascript).
However isn't this more a problem with the site attempting to frame your site? If they frame a page from an external site (e.g. your site) then they always run risk if this happening and it's a bit cheeky (and a security risk) to do this anyway. I fail to see how you preventing this will reflect badly on your site (or at least any worse than a "sorry we don't allow framing" message).