I'm working on a force.com sites page and just got the italicized message below from our web developers. I've had SFDC disable clickjack protections but it didn't work; should I ask them to allow a higher trust setting? Any other advice? Thanks!

The "X-Frame-Options" header needs to be set on the page being embedded in the iFrame (not the calling/parent page), which would be the page being delivered from the "rocketshiphr.force.com" domain.

"X-Frame-Options" is used on pages to control if, and when, a page can be displayed in an iFrame.  Currently, the page coming from "rocketshiphr.force.com" has this set to "SAMEORIGIN", which is why this is not working.  Whoever is responsible for "rocketshiphr.force.com" will need to remove the "X-Frame-Options" header completely.  The "ALLOW-FROM" option is not fully supported across all browsers, so it is not recommended to use that method.

You will need to contact "force.com" about this matter as there is nothing we can do on our end to have this work.  If "force.com" cannot do this, then the only other option you have is to provide a link on that page that points to the URL you are trying to embed in the iFrame.