Comment 0 for bug 863904

To prevent ClickJacking, we should set the X-Frame-Options to Deny for everything that returns HTML:

  https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Preventing_Malicious_Site_Framing_.28ClickJacking.29

We'll need to make sure we don't set it on the dynamic resizer / resolver though.