@mithatgogebakan reported a regression in Internet Explorer, allowing for Cross-Site Scripting (XSS) against any endpoint whose response doesn’t include the
X-Frame-Options header. He found that some error responses generated by our web servers didn’t include this header. We addressed this issue by setting the
X-Frame-Options header at the load-balancer level instead of in the web application.