In my experience, setting X-Frame-Options (XFO)
rules works much better than breaking out of iframes. When it comes to rules, it really depends on if you absolutely have to use iframes. If you can remove iframes from your website completely, using the DENY rule would be best; however, if you still have iframes in your site, use the SAMEORIGIN rules.
The differences between the available rules are outlined below (quoted from IETF):
DENY A browser receiving content with this header MUST NOT display this content in any frame.
SAMEORIGIN A browser receiving content with this header MUST NOT display this content in any frame from a page of different origin than the content itself. If a browser or plugin can not reliably determine whether the origin of the content and the frame have the same origin, this MUST be treated as "DENY". [TBD]current implementations do not display if the origin of the top-level-browsing-context is different than the origin of the page containing the X-FRAME-OPTIONS header.
ALLOW-FROM (followed by a URI of trusted origins) A browser receiving content with this header MUST NOT display this content in any frame from a page of different origin than the listed origin. While this can expose the page to risks by the trusted origin, in some cases it may be necessary to use content from other domains. For example: X-FRAME-OPTIONS: ALLOW-FROM https://www.domain.com/
I would also suggest reading, Clickjack attack – the hidden threat right in front of you by Troy Hunt.
Hope this helps.