developer.uber.com/404 and developer.uber.com/docs/404 are susceptible to iframes

#Issue You can iframe the error pages for https://developer.uber.com/404 and https://developer.uber.com/docs/404 #Proof of concept An example can be found here http://codepen.io/JacobReynolds/pen/VaMbde?editors=1010 #Impact There is not a large security impact from a cursory glance at the 404 pages. The docs page has a ReadMe.io login that is accessible in the iframe, but without some pretty clever trickery it would be hard to keylog a user's login info from there. You are able to redirect in the iframe from /docs/404 to /404 but that is as much movement as you can get within the domains. #Possible Fixes Adding the X-Frame-Options:SAMEORIGIN header to the response for both of these pages would be the solution.