Add a guideline on framing protection

[wbamberg]

Fixes #15.

[aaronshim]

However, X-Frame-Options has better support in older browsers.

Technically it's just IE that does XFO but not f-a, should we make that more clear? (To send a clearer message that f-a is supposed to be deprecating XFO and is the much much more preferred solution)

f-a should be a part of the CSP2 spec that is very well supported on, well, almost everything that should be out there today!

[ctcpip]

It's not just IE, it's older browsers of any variety.

[wbamberg]

I've adjusted it to include IE, link to caniuse, and strengthened the wording from "older" to "obsolete".

[ctcpip]

Suggested change

	The `frame-ancestors` directive offers more fine-grained control, allowing you to list sites that are allowed to embed your site. However, `X-Frame-Options` has better support in older browsers. Since browsers that support `frame-ancestors` will ignore `X-Frame-Options`, it is best to include both methods.
	The `frame-ancestors` directive offers more fine-grained control, allowing you to list sites that are allowed to embed your site. However, `X-Frame-Options` has better support in older browsers, so it is best to include both methods. Note that when both are provided, browsers which support `frame-ancestors` will prioritize `frame-ancestors` and ignore `X-Frame-Options`.

suggestion for clarity

[wbamberg]

Agree that it's helpful to say "when both are included" here and I have done that. To me "prioritise" implies that the non-prioritised thing may still get attention (i.e. priorities are relative) so I have not used that particular wording.

[ctcpip]

In most cases, you would not want a production site to be embeddable elsewhere, especially unknown origins. I suggest the default recommendation would be to restrict, and provide guidance for if a user needs the site to be embeddable, and to set the configuration as narrow as possible to only exactly what they need, to minimize risk.

[wbamberg]

-> 7e4c347