Menu
I am migrating from X-Frame-Options to Content Security Policy to fix the click-jacking vulnerability. My application used to set the SAMEORIGIN policy in hte X-Frame-Options header. What is the equivalent option in Content-Security-Policy?
826
Chrome ignores X-Frame-Options . Safari 9 and below ignore CSP frame-ancestors .
CSP frame-ancestors. The frame-ancestors directive allows you to specify which parent URLs can frame the current resource. Using the frame-ancestors CSP directive we can block or allow a page from being placed within a frame or iframe.
X-Frame-Options allows content publishers to prevent their own content from being used in an invisible frame by attackers. The DENY option is the most secure, preventing any use of the current page in a frame. More commonly, SAMEORIGIN is used, as it does enable the use of frames, but limits them to the current domain.
frame-ancestors
X-Frame-Options: SAMEORIGIN ➡ Content-Security-Policy: frame-ancestors 'self'
X-Frame-Options: DENY ➡ Content-Security-Policy: frame-ancestors 'none'
See also https://w3c.github.io/webappsec-csp/#frame-ancestors-and-frame-options
148
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
