Set fixed value for click-jacking protection to sameorigin instead of deny

src/Umbraco.Web.UI/umbraco/config/lang/en.xml

@@ -1355,8 +1355,8 @@ To manage your website, simply open the Umbraco back office and start adding con
     <key alias="clickJackingCheckHeaderFound"><![CDATA[The header or meta-tag <strong>X-Frame-Options</strong> used to control whether a site can be IFRAMed by another was found.]]></key>
     <key alias="clickJackingCheckHeaderNotFound"><![CDATA[The header or meta-tag <strong>X-Frame-Options</strong> used to control whether a site can be IFRAMed by another was not found.]]></key>
     <key alias="clickJackingSetHeaderInConfig">Set Header in Config</key>
-    <key alias="clickJackingSetHeaderInConfigDescription">Added a value to the httpProtocol/customHeaders section of web.config to prevent the site being IFRAMed.</key>
-    <key alias="clickJackingSetHeaderInConfigSuccess">A setting to create a header preventing IFRAMing of the site has been added to your web.config file.</key>
+    <key alias="clickJackingSetHeaderInConfigDescription">Adds a value to the httpProtocol/customHeaders section of web.config to prevent the site being IFRAMed by other websites.</key>
+    <key alias="clickJackingSetHeaderInConfigSuccess">A setting to create a header preventing IFRAMing of the site by other websites has been added to your web.config file.</key>
     <key alias="clickJackingSetHeaderInConfigError">Could not update web.config file. Error: %0%</key>
 
     <!-- The following key get these tokens passed in:

src/Umbraco.Web.UI/umbraco/config/lang/en_us.xml

@@ -1360,8 +1360,8 @@ To manage your website, simply open the Umbraco back office and start adding con
     <key alias="clickJackingCheckHeaderFound"><![CDATA[The header or meta-tag <strong>X-Frame-Options</strong> used to control whether a site can be IFRAMed by another was found.]]></key>
     <key alias="clickJackingCheckHeaderNotFound"><![CDATA[The header or meta-tag <strong>X-Frame-Options</strong> used to control whether a site can be IFRAMed by another was not found.]]></key>
     <key alias="clickJackingSetHeaderInConfig">Set Header in Config</key>
-    <key alias="clickJackingSetHeaderInConfigDescription">Added a value to the httpProtocol/customHeaders section of web.config to prevent the site being IFRAMed.</key>
-    <key alias="clickJackingSetHeaderInConfigSuccess">A setting to create a header preventing IFRAMing of the site has been added to your web.config file.</key>
+    <key alias="clickJackingSetHeaderInConfigDescription">Adds a value to the httpProtocol/customHeaders section of web.config to prevent the site being IFRAMed by other websites.</key>
+    <key alias="clickJackingSetHeaderInConfigSuccess">A setting to create a header preventing IFRAMing of the site by other websites has been added to your web.config file.</key>
     <key alias="clickJackingSetHeaderInConfigError">Could not update web.config file. Error: %0%</key>
 
     <!-- The following key get these tokens passed in:

src/Umbraco.Web/HealthCheck/Checks/Security/ClickJackingCheck.cs

@@ -23,6 +23,7 @@ namespace Umbraco.Web.HealthCheck.Checks.Security
         private const string SetFrameOptionsHeaderInConfigActiobn = "setFrameOptionsHeaderInConfig";
 
         private const string XFrameOptionsHeader = "X-Frame-Options";
+        private const string XFrameOptionsValue = "sameorigin"; // Note can't use "deny" as that would prevent Umbraco itself using IFRAMEs
 
         public ClickJackingCheck(HealthCheckContext healthCheckContext) : base(healthCheckContext)
         {
@@ -194,7 +195,7 @@ namespace Umbraco.Web.HealthCheck.Checks.Security
                 {
                     addHeaderElement = new XElement("add");
                     addHeaderElement.Add(new XAttribute("name", XFrameOptionsHeader));
-                    addHeaderElement.Add(new XAttribute("value", "deny"));
+                    addHeaderElement.Add(new XAttribute("value", XFrameOptionsValue));
                     customHeadersElement.Add(addHeaderElement);
                 }