The Natural Philosopher wrote:

Andy Burns wrote:

The Natural Philosopher wrote:

Chris J Dixon wrote:

AIUI, it is the web site that has the strict policy,

no. it is a setting in the browser.

No, its a configuration option in the webserver that the browser
obeys, e.g. this page shows how to configure it for apache, nginx, iis
etc

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Not quite. Servers may request it, but browsers may or may not honour it.

The danger of relying on client-side security ...

But in this case it's irrelevant, the proper tickets iframe doesn't rely
on sameorigin, it's only the "you're blocked" page being substituted by
cloudflare that is triggering the error.