Any intruder can call Identity Server portal login pages or the pages delivered by Access Gateway ESP with the default Identity Server configuration from an HTML iFrame. To prevent this vulnerability, Cross-Frame Scripting (XFS) has been disabled for both Identity Server and Access Gateway ESP in Access Manager 4.3.
The configuration to prevent this attack is enabled by default in Access Manager 4.3.