Content-Security-Policy (CSP) workaround for internet explorer

Question

We are building a ASP.NET website and want to allow only some domains who can iFrame our website. CSP is not supported in internet explorer. I am setting something like Response.AddHeader("Content-Security-Policy", "frame-ancestors mydomain1.com mydomain2.com").

How is everyone handling for internet explorer. I read IE supports X-Content-Security-Policy but it doesn't has frame-ancestors.

Also I am removing the default X-Frame-Options header added by IIS by doing

Response.Headers.Remove("X-Frame-Options")

Answer 1

X-Frame-Options is being superceded by Content-Security-Policy, but as you say, not all browsers fully support Content-Security-Policy yet.

You say you're intentionally removing X-Frame-Options, but you shouldn't. That is supported by Internet Explorer, so if you use it in addition to Content-Security-Policy, you will get the same effect across a wider range of browsers.

See X-Frame-Options documentation here, which includes a mention of IE support: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options