Web site owners such as Yahoo and Google send an HTTP response header named X-Frame-Options with HTML pages to restrict how the page may be framed.
If the X-Frame-Options value contains the token Deny, the browser prevents the page from rendering if it is contained within a
frame. If the value contains the token SameOrigin, Internet Explorer
will not render the page if the top level-browsing-context differs from
the origin of the page containing the directive. Blocked pages are
replaced with a "This content cannot be displayed in a frame" error page.