enigma1 - 7:52 pm on Nov 22, 2011 (gmt 0)
The procedure is you take the src link from these js lines (this should be possible, because that's what the browser is going to use to create the request anyways), you do an fsockopen (or curl) in PHP, and you make a request to the other server from your server. The content that comes back is now open to do whatever modifications you want, in other words you act as an elite proxy. This is not SOP and you can emulate whatever you want, send cookies, headers etc. The other end doesn't know the way you browse the content.
And lets assume the other server may send the X-Frame-Options header or any other header, why do you care about it since it will be your server the receiving end, not a real browser.
But if you depend on the original client's IP/origin, then yes there is no point doing that. Because when you emulate the click, it will be your server's ip that will show up on the other end, not the original client.