Comment by creata
12 hours ago
You're right that everyone should be using X-Frame-Options: DENY (for ancient browsers, plus CSP for newer browsers), but the author managed to pull it off on Google Docs. If even Google can't consistently stick to it, I feel like I should be worried.
All website operators should read this imo: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_...
> If even Google can't consistently stick to it
Everything is a target. You can’t assume safety based on reputation or ubiquitousness.
There are so many examples of the trusted well-used thing failing security to mention.