Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to use frame-src and child-src in Firefox and other browsers?

Tags:

firefox

content-security-policy

The MDN page on Content Security Policy directives states the frame-src is deprecated and child-src should be used. However, Firefox 37 gives the following error message when I attempt to use child-src

Content Security Policy: Couldn't process unknown directive 'child-src' <unknown>

This apparent lack of support isn't documented (as far as I could tell) which is frustrating. Is there any place browser support is documented?

Currently I'm using frame-src in addition to child-src, which appears to work. However I'm now wondering if there is any potential for conflict between the two. Presumably frame-src will be ignored by browsers that support child-src? Is that guaranteed?

like image 992
ChrisD Avatar asked May 04 '15 06:05

ChrisD

People also ask

Is frame src deprecated?

The frame-src directive was deprecated in Content-Security-Policy level 2 in favor of child-src (which was introduced in level2). It was then undeprecated in level 3 to replace child-src again (although child-src is still available and not deprecated.

How do I get frame SRC?

Right-clicking on the frame should show you the option "View frame source". By clicking on it, it will open the source code in a new tab.

What is frame SRC?

The HTML <frame> src Attribute is used to specifies the document URL which is used to display in the frame. Syntax: <frame src="URL"> Attribute Values: It contains single value URL which specifies the source of the document. The possible value of the URL is: absolute URL: It points to another website.

What is CSP child-SRC?

The HTTP Content-Security-Policy (CSP) child-src directive defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe> . For workers, non-compliant requests are treated as fatal network errors by the user agent.

1 Answers

Update: Jan 2017:

Stop using child-src and begin using frame-src again.

In an effort to create even more confusion, CSP Level 3 has undeprecated frame-src and actually re-appointed it as the preferred way to achieve this. While child-src is still supported frame-src is once again preferred.

Old post

frame-src is deprecated, but it was only recently made so in CSP Level 2 and not all browsers are up to the latest version of the spec.

The best approach at the moment for maximum browser compatibility is to include both child-src and frame-src with identical values. Browsers that only support the original CSP specification will use frame-src while newer ones will use child-src.

That developer console warning is of no consequence and merely informational. I would suggest you ignore it for now, because a year from now you may very well see one saying that frame-src is deprecated.

At this time, I ensure both are used when this is needed and intend to stop providing frame-src in January of 2017.

CSP Level 2 support:

  • Firefox - Pending
  • Chrome - 40+
  • Opera - 27+
  • Microsoft Edge - Pending
  • Safari - 10+
like image 154
anthonyryan1 Avatar answered Sep 23 '22 17:09

anthonyryan1
Sign in to Comment

Related questions

Is it possible to see the data of a post request in Firefox or Chrome?
firefox position absolute inside a relative container issue
How to make <div>s in HTML5 draggable for Firefox?
Firefox redirects localhost to HTTPS
Protect against browser extension injected Javascript code
Disable Firefox Same Origin Policy without installing a plugin
Firefox extension to find out which Javascript event is bound to an inspected element?
Evil Firefox Error -- "A parameter or an operation is not supported by the underlying object"
Firefox Build does not work with Selenium
Why Firefox says that window.event is undefined? (call function with added event listener)
Downloading file to specified location with Selenium and python
Putting a div on a new line (problem caused by floating <ul> elements)
1 pixel line height difference between Firefox and Chrome
Firefox specific margin? [closed]
Firefox does not seem to be faster using the asm.js profile, yet Chrome is
Firefox line-height issue with input fields
Font-size issues comparing chrome and Firefox
Optimize website to show reader view in Firefox
Browsing and editing saved form data in Firefox
Inspect Shadow DOM with Firefox

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!