X-Frame-Options: 'SAMEORIGIN' in Rails by default - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website.
There are three different values for the header field. These values are mutually exclusive; that is, the header field MUST be set to exactly one of the three values.
The valid values are: DENY, SAMEORIGIN, ALLOW-FROM.
So my question is: is there any reason to NOT update the doc? I'm happy to do it, I just wanted to verify first that there wasn't some explanation for why it should be left as-is.