diff --git a/CHANGELOG b/CHANGELOG
index d46771aa7..c9b7e9ec2 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -72,6 +72,7 @@ CHANGELOG Roundcube Webmail
 - Fix syntax error in mssql.initial.sql (#6097)
 - Fix bug where contacts export by selection returned no more than 10 entries (#6103)
 - Fix searching contacts by address in LDAP source (#6084)
+- Fix X-Frame-Options:ALLOW-FROM support, remove custom click-jacking protection (#6057)
 
 RELEASE 1.3.3
 -------------
diff --git a/program/js/app.js b/program/js/app.js
index 9dfb15968..da7e7f920 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -176,24 +176,6 @@ function rcube_webmail()
     for (n in this.gui_objects)
       this.gui_objects[n] = rcube_find_object(this.gui_objects[n]);
 
-    // clickjacking protection
-    if ((n = this.env.x_frame_options) && self !== top) {
-      try {
-        // bust frame if not allowed
-        if (n.toLowerCase() == 'deny' && top.location.href != self.location.href)
-          top.location.href = self.location.href;
-        else if (/^allow-from[\s\t]+(.+)$/i.test(n) && RegExp.$1.indexOf(top.location.origin) != 0)
-          throw 1;
-        else if (top.location.hostname != self.location.hostname)
-          throw 1;
-      } catch (e) {
-        // possible clickjacking attack: disable all form elements
-        $('form').each(function(){ ref.lock_form(this, true); });
-        this.display_message("Blocked: possible clickjacking attack!", 'error');
-        return;
-      }
-    }
-
     // init registered buttons
     this.init_buttons();