Before HTTP headers were an option initial fixes were based on JavaScript. This is now seen as a fall-back defence which is nice to have but is no longer essential.
Please review reference [2] and select either the:
• Best-for-now Legacy Browser Frame Breaking; or
• Window.confirm() protection
As desired