Bugzilla developer Frédéric Buclin reported that the
"X-Frame-Options
header is ignored when the value is duplicated,
for example X-Frame-Options: SAMEORIGIN, SAMEORIGIN
. This
duplication occurs for unknown reasons on some websites and when it occurs
results in Mozilla browsers not being protected against possible clickjacking
attacks on those pages