First I'd advise simplifying the problem by getting rid of the secure content being served over a frame.

Not a dig against you or your organization, but we're trying to train the world not to trust forms like the one you provided an image for. I know this isn't part of your question, but a Secure Transaction image is no substitute for that https cert.

If your 3rd party partners have no need to function as a portal for your secure content, then eliminating that possibility would simplify your problem. Implement no-exceptions anti-click-jacking for your secure content. Do the whole page as HTTPS, not just a form or a frame. If someone uses my free wifi hotspot at an airport, I can easily jack the whole form or frame and replace it with my own that looks identical, complete with Secure Transaction image.

Back on point, with the elimination of secure content simplifying the issue some, what remains is a browser compatibility problem with X-Frame-Options.

Theres a question over at stack overflow that discusses this, but it doesn't seem to truly solve the problem, but does answer the question: Browser compatibility continues to be a problem.

Another thing you might consider, I've done some work with porthole.js before for cross-frame communication and one of the things it made me think about is having the ability for a child frame to validate its parent, and for the parent to validate the child frame.

You can quickly check porthole's compatibility by visiting their demo site with the browsers that you care about supporting.

Additionally you could have your partners identify themselves with a querystring.

<iframe src="www.site.com/?partner=3tqdHB"></iframe>

Then when your click-jacking detection detects a parent window, check to see that the proper querystring parameter exists. If it does, challenge the parent frame to prove it's identity, sending a nonce.

The parent frame could then use the provided nonce with it's key to prove it's identity to you.

If everything works out, don't execute your kill script, otherwise, execute kill script.

First I'd advise simplifying the problem by getting rid of the secure content being served over a frame.

Not a dig against you or your organization, but we're trying to train the world not to trust forms like the one you provided an image for. I know this isn't part of your question, but a Secure Transaction image is no substitute for that https cert.

If your 3rd party partners have no need to function as a portal for your secure content, then eliminating that possibility would simplify your problem. Implement no-exceptions anti-click-jacking for your secure content. Do the whole page as HTTPS, not just a form or a frame. If someone uses my free wifi hotspot at an airport, I can easily jack the whole form or frame and replace it with my own that looks identical, complete with Secure Transaction image.

Back on point, with the elimination of secure content simplifying the issue some, what remains is a browser compatibility problem with X-Frame-Options.

Theres a question over at stack overflow that discusses this, but it doesn't seem to truly solve the problem, but does answer the question: Browser compatibility continues to be a problem.

Another thing you might consider, I've done some work with porthole.js before for cross-frame communication and one of the things it made me think about is having the ability for a child frame to validate its parent, and for the parent to validate the child frame.

You can quickly check porthole's compatibility by visiting their demo site with the browsers that you care about supporting.

Additionally you could have your partners identify themselves with a querystring.

<iframe src="www.site.com/?partner=3tqdHB"></iframe>

Then when your click-jacking detection detects a parent window, check to see that the proper querystring parameter exists. If it does, challenge the parent frame to prove it's identity, sending a nonce.

The parent frame could then use the provided nonce with it's key to prove it's identity to you.

If everything works out, don't execute your kill script, otherwise, execute kill script.

First I'd advise simplifying the problem by getting rid of the secure content being served over a frame.

Not a dig against you or your organization, but we're trying to train the world not to trust forms like the one you provided an image for. I know this isn't part of your question, but a Secure Transaction image is no substitute for that https cert.

If your 3rd party partners have no need to function as a portal for your secure content, then eliminating that possibility would simplify your problem. Implement no-exceptions anti-click-jacking for your secure content. Do the whole page as HTTPS, not just a form or a frame. If someone uses my free wifi hotspot at an airport, I can easily jack the whole form or frame and replace it with my own that looks identical, complete with Secure Transaction image.

Back on point, with the elimination of secure content simplifying the issue some, what remains is a browser compatibility problem with X-Frame-Options.

Theres a question over at stack overflow that discusses this, but it doesn't seem to truly solve the problem, but does answer the question: Browser compatibility continues to be a problem.

Another thing you might consider, I've done some work with porthole.js before for cross-frame communication and one of the things it made me think about is having the ability for a child frame to validate its parent, and for the parent to validate the child frame.

Additionally you could have your partners identify themselves with a querystring.

<iframe src="www.site.com/?partner=3tqdHB"></iframe>

Then when your click-jacking detection detects a parent window, check to see that the proper querystring parameter exists. If it does, challenge the parent frame to prove it's identity, sending a nonce.

The parent frame could then use the provided nonce with it's key to prove it's identity to you.

If everything works out, don't execute your kill script, otherwise, execute kill script.

First I'd advise simplifying the problem by getting rid of the secure content being served over a frame.

Not a dig against you or your organization, but we're trying to train the world not to trust forms like the one you provided an image for. I know this isn't part of your question, but a Secure Transaction image is no substitute for that https cert.

If your 3rd party partners have no need to function as a portal for your secure content, then eliminating that possibility would simplify your problem. Implement no-exceptions anti-click-jacking for your secure content. Do the whole page as HTTPS, not just a form or a frame. If someone uses my free wifi hotspot at an airport, I can easily jack the whole form or frame and replace it with my own that looks identical, complete with Secure Transaction image.

Back on point, with the elimination of secure content simplifying the issue some, what remains is a browser compatibility problem with X-Frame-Options.

Theres a question over at stack overflow that discusses this, but it doesn't seem to truly solve the problem, but does answer the question: Browser compatibility continues to be a problem.

Another thing you might consider, I've done some work with porthole.js before for cross-frame communication and one of the things it made me think about is having the ability for a child frame to validate its parent, and for the parent to validate the child frame.

You can quickly check porthole's compatibility by visiting their demo site with the browsers that you care about supporting.

Additionally you could have your partners identify themselves with a querystring.

<iframe src="www.site.com/?partner=3tqdHB"></iframe>

Then when your click-jacking detection detects a parent window, check to see that the proper querystring parameter exists. If it does, challenge the parent frame to prove it's identity, sending a nonce.

The parent frame could then use the provided nonce with it's key to prove it's identity to you.

If everything works out, don't execute your kill script, otherwise, execute kill script.