Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to use frame-src and child-src in Firefox and other browsers?

The MDN page on Content Security Policy directives states the frame-src is deprecated and child-src should be used. However, Firefox 37 gives the following error message when I attempt to use child-src

Content Security Policy: Couldn't process unknown directive 'child-src' <unknown> 

This apparent lack of support isn't documented (as far as I could tell) which is frustrating. Is there any place browser support is documented?

Currently I'm using frame-src in addition to child-src, which appears to work. However I'm now wondering if there is any potential for conflict between the two. Presumably frame-src will be ignored by browsers that support child-src? Is that guaranteed?

like image 992
ChrisD Avatar asked May 04 '15 06:05

ChrisD


People also ask

Is frame src deprecated?

The frame-src directive was deprecated in Content-Security-Policy level 2 in favor of child-src (which was introduced in level2). It was then undeprecated in level 3 to replace child-src again (although child-src is still available and not deprecated.

How do I get frame SRC?

Right-clicking on the frame should show you the option "View frame source". By clicking on it, it will open the source code in a new tab.

What is frame SRC?

The HTML <frame> src Attribute is used to specifies the document URL which is used to display in the frame. Syntax: <frame src="URL"> Attribute Values: It contains single value URL which specifies the source of the document. The possible value of the URL is: absolute URL: It points to another website.

What is CSP child-SRC?

The HTTP Content-Security-Policy (CSP) child-src directive defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe> . For workers, non-compliant requests are treated as fatal network errors by the user agent.


1 Answers

Update: Jan 2017:

Stop using child-src and begin using frame-src again.

In an effort to create even more confusion, CSP Level 3 has undeprecated frame-src and actually re-appointed it as the preferred way to achieve this. While child-src is still supported frame-src is once again preferred.


Old post

frame-src is deprecated, but it was only recently made so in CSP Level 2 and not all browsers are up to the latest version of the spec.

The best approach at the moment for maximum browser compatibility is to include both child-src and frame-src with identical values. Browsers that only support the original CSP specification will use frame-src while newer ones will use child-src.

That developer console warning is of no consequence and merely informational. I would suggest you ignore it for now, because a year from now you may very well see one saying that frame-src is deprecated.

At this time, I ensure both are used when this is needed and intend to stop providing frame-src in January of 2017.

CSP Level 2 support:

  • Firefox - Pending
  • Chrome - 40+
  • Opera - 27+
  • Microsoft Edge - Pending
  • Safari - 10+
like image 154
anthonyryan1 Avatar answered Sep 23 '22 17:09

anthonyryan1