What is your exact concern? One should obviously not enter their Facebook credentials while the address bar shows darksecurity.de; after all, instead of framing Facebook, you could just create a fake login form that looks just like theirs.
Clickjacking is a distinct concern, but generally only in cases where a UI action with serious consequences (e.g., deleting your account, sharing something with a stranger) can be accomplished in one or several clicks. The pages you are framing don't seem to fall into this category. It's worth noting that XFO doesn't fully eliminate the risk: http://lcamtuf.blogspot.com/2011/12/x-frame-options-or-solving-wrong.html An interesting consequence of pages that show your login or other personal information, and can be framed, is that they make phishing a bit easier: you can cleverly arrange them to imply that the top-level page knows who you are. But the gain here probably isn't dramatic. /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/