How can I disable someone from loading a page in an iframe and using javascript to submit?

Question

Title says it all.

Imagine this:

<!DOCTYPE html>
<html>
<head>
</head>
<body>
<iframe style="display:none" name="xxx"></iframe>
<form method='POST' action='http://MYPAGE.com/account/' target="xxx" id="xxx">
  <input type='hidden' name='xxxxxxx' value='yyyyyyyy'>
  <input type='submit' value='submit'>
</form>
<script>document.getElementById("xxx").submit()</script>
</body>

How can I disable an attack like that?

Answer 1

Use the X-Frame-Options and set it to DENY or SAMEORIGIN. DENY will completely deny anybody from framing the page in an iframe and SAMEORIGIN will only allow the same origin to display the page in an iframe. See https://coderwall.com/p/kdv1hw for more information.