There is a new alert on the Partnerforce portal that is letting partners know of the upcoming "clickjack protection" for non-setup pages in Winter '13. It seems to be stating that if a customer turns this on, ALL framed/iframed pages (Visualforce or otherwise) will stop working.
Does anybody have any more information on this? If I'm reading it correctly, it's going to be an unusable feature for any customer who either has installed a package that uses frames or has done their own custom implementation using frames or iframes. I've personally seen dozens of customers who do this.
If this is the case, I hope SFDC at least has it turned off by default and boldly warns anyone who turns it on that it is likely to break pages if they use frames anywhere.
Does anybody know anything? It sounds like a feature which could potentially break a LOT of managed package features but is seemingly not getting much press. I posted this question in the official Visualforce forum but got no response.
Best Answer
There's more on this in the Winter '13 release notes.
Interpreting the release notes, it looks like you have to go in and enable the settings. The release notes do inform the user that some pages may display as blank.