Sage CRM already implements Javascript code in its screens to prevent it from being displayed in an IFrame. This is to prevent a method of attack known as clickjacking. As of 2013, the X-Frame-Options header has been standardised as RFC 7034. On receipt of this header, a web server will prevent the display of a page in an IFrame.

More information:

This header can be added manually to a CRM site by going to the HTTP Response Headers section in IIS Manager. Adding a new header called X-FRAME-OPTIONS with a value of SAMEORIGIN will prevent CRM from being loaded in an IFrame, unless the container page is hosted on the same domain.

Add new header

Please note that this header may not be effective in all browsers. The protection afforded by the X-Frame-Options header will only apply to IE8 and later, and current versions of Safari, Firefox and Chrome.

The header will not be set by default in Sage CRM installation, as it may interfere with customer customisations. There should be no issues enabling the header with a new copy of Sage CRM, should this be so desired.