X-Frame-Options is deprecated

[GoogleCodeExporter]

X-Frame-Options is being deprecated in Firefox in favor of Content Security 
Policy.

http://www.w3.org/TR/CSP

Which is standard candidate. We should migrate to it and leave the old 
X-Frame-Options as fallback for older browsers. E.g.

header('Content-Security-Policy', "default-src * 'self' 'unsafe-inline' 
'unsafe-eval'; frame-src 'self'");

Original issue reported on code.google.com by jukka.m.svahn on 9 Dec 2013 at 12:17