Issue #2514136 by pwolanin, Fabianx: Add default clickjacking defense to core

core/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php

@@ -113,6 +113,7 @@ public function onRespond(FilterResponseEvent $event) {
     // XSS and other vulnerabilities.
     // https://www.owasp.org/index.php/List_of_useful_HTTP_headers
     $response->headers->set('X-Content-Type-Options', 'nosniff', FALSE);
+    $response->headers->set('X-Frame-Options', 'SAMEORIGIN', FALSE);
 
     // Expose the cache contexts and cache tags associated with this page in a
     // X-Drupal-Cache-Contexts and X-Drupal-Cache-Tags header respectively.

core/modules/system/src/Tests/Routing/RouterTest.php

@@ -40,7 +40,7 @@ public function testFinishResponseSubscriber() {
     $this->assertEqual($headers['x-ua-compatible'], 'IE=edge');
     $this->assertEqual($headers['content-language'], 'en');
     $this->assertEqual($headers['x-content-type-options'], 'nosniff');
-
+    $this->assertEqual($headers['x-frame-options'], 'SAMEORIGIN');
 
     $this->drupalGet('router_test/test2');
     $this->assertRaw('test2', 'The correct string was returned because the route was successful.');