Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Replacing X-Frame-Options with CSP

Tags:

x-frame-options

content-security-policy

I am migrating from X-Frame-Options to Content Security Policy to fix the click-jacking vulnerability. My application used to set the SAMEORIGIN policy in hte X-Frame-Options header. What is the equivalent option in Content-Security-Policy?

like image 826
zilcuanu Avatar asked Mar 27 '17 06:03

zilcuanu

People also ask

Does CSP override X-Frame-options?

Chrome ignores X-Frame-Options . Safari 9 and below ignore CSP frame-ancestors .

What is CSP Frame ancestors?

CSP frame-ancestors. The frame-ancestors directive allows you to specify which parent URLs can frame the current resource. Using the frame-ancestors CSP directive we can block or allow a page from being placed within a frame or iframe.

Is X-Frame-options SAMEORIGIN secure?

X-Frame-Options allows content publishers to prevent their own content from being used in an invisible frame by attackers. The DENY option is the most secure, preventing any use of the current page in a frame. More commonly, SAMEORIGIN is used, as it does enable the use of frames, but limits them to the current domain.

1 Answers

frame-ancestors

  • X-Frame-Options: SAMEORIGINContent-Security-Policy: frame-ancestors 'self'

  • X-Frame-Options: DENYContent-Security-Policy: frame-ancestors 'none'

See also https://w3c.github.io/webappsec-csp/#frame-ancestors-and-frame-options

like image 148
sideshowbarker Avatar answered Sep 19 '22 19:09

sideshowbarker
Sign in to Comment

Related questions

How to append/overide .htaccess Content-Security-Policy with PHP CSP header()
What is a script from source 'undefined' mean in CSP?
Defining a dynamic Content Security Policy in a Single Page Application
Calling insecure endpoint from a website runs under HTTPS - nginx
Firefox WebExtension, isolated HTML overlay
Run non-inline JS locally in Electron
Effective Content Security Policy definition for YouTube.com
Page Specific JavaScript using Content Security Policy (CSP) [duplicate]
Javascript create WebSocket connection refused - content security
Tag inserted by the browser Brave before the head tag
Refused to load _framework/aspnetcore-browser-refresh.js after upgrading visual studio to 16.10.0
JavaScript click() method only works once in Chrome extension
X-Frame-Options and Content-Security-Policy for frames in Firefox
Dynamically compiled lazy loaded dynamic routes in Angular causing 'unsafe-eval' error
Should Content-Security-Policy header be in every server response or only in text/html?
Javascript bookmarklet on site with CSP in Firefox
How can I play sound with a GreaseMonkey script in FireFox when there's a "Content Security Policy" error?
Catching Content Security Policy (CSP) errors
Content Security Policy Violation on File Preview
Prevent request to another domain?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!