Are ColdFusion's clickjacking filter options (Clickjacking issue - adding multiple url patterns in a single filter mapping) needed if using Internet Information Services' (IIS) HTTP Response Header option setting X-Frame-Options? Is ColdFusion (Java) interpretation of page IFRAME content occurring independently of IIS web server's interpretation?
Clickjacking is a client side event so "ColdFusion (Java) interpretation of page IFRAME content occurring independently of IIS web server's interpretation" would not be a issue -- assuming any of this is going on, which I cannot fathom how it would be. You can set the X-Frame-Options header value in either IIS or your CF application using CFHeader. If both IIS and CF sets the value, I'm fairly certain the client will receive two header entries and while ugly, as long as they don't conflict with each other I think you're fine. Does that answer your question?
Is my understanding of your response correct? Web site sends a directive to the client (browser) declaring client should not accept content into IFRAME from anywhere else than the host site? It is up to the client (browser) to handle rejecting any "foreign" (URL path) information within the IFRAME?
Then setting the web server to issue the directive is a more complete method. It covers both ColdFusion applications in addition to any other web site (/application) pages.
Thanks for enlightening me on this web environment process!