Reputation: 34244
How does Content-Security-Policy work with X-Frame-Options?
Does Content-Security-Policy ignore X-Frame-Options, returned by a server, or is X-Frame-Options still primary?
Assuming that I have:
- a website http://a.com with
X-Frame-Options: DENY - and a website http://b.com with
Content-Security-Policy: frame-src a.com
will browser load this frame?
It is unclear.
On the one hand, http://a.com explicitly denies framing.
On the other hand, http://b.com explicitly allows framing for http://a.com.
Upvotes: 80
Views: 101504
Answers (3)
Reputation: 177
None of your hypotheses are universally true.
- Chrome ignores
X-Frame-Options. - Safari 9 and below ignore CSP
frame-ancestors. - Safari 10-12 respect the CSP
frame-ancestorsdirective, but prioritizeX-Frame-Optionsif both are specified.
Upvotes: 16
Reputation: 5819
The frame-src CSP directive (which is deprecated and replaced by child-src) determines what sources can be used in a frame on a page.
The X-Frame-Options response header, on the other hand, determines what other pages can use that page in an iframe.
In your case, http://a.com with X-Frame-Options: DENY indicates that no other page can use it in a frame. It does not matter what http://b.com has in its CSP -- no page can use http://a.com in a frame.
The place where X-Frame-Options intersects with CSP is via the frame-ancestors directive. From the CSP specificiation (emphasis mine):
This directive is similar to the
X-Frame-Optionsheader that several user agents have implemented. The'none'source expression is roughly equivalent to that header’sDENY,'self'toSAMEORIGIN, and so on. The major difference is that many user agents implementSAMEORIGINsuch that it only matches against the top-level document’s location. This directive checks each ancestor. If any ancestor doesn’t match, the load is cancelled. [RFC7034]The
frame-ancestorsdirective obsoletes theX-Frame-Optionsheader. If a resource has both policies, theframe-ancestorspolicy SHOULD be enforced and theX-Frame-Optionspolicy SHOULD be ignored.
An older question indicated this did not work in Firefox at that time but hopefully things have changed now.
UPDATE April 2018:
Content Security Policy: Directive ‘child-src’ has been deprecated. Please use directive ‘worker-src’ to control workers, or directive ‘frame-src’ to control frames respectively.
Looks like child-src is now the deprecated one and frame-src is back.
Upvotes: 95
Reputation: 34244
The answer was found by testing in practice.
I have created two web-sites and reproduced the described situation.
It seems like X-Frame-Options is primary.
If target server denies framing, then client website cannot display this page in iframe whichever values of Content-Security-Policy are set.
However, I haven't found any confirmations in documentation.
Tested on Chrome 54 and IE 11.
Upvotes: 2
Related Questions
- How to set X-Frame-Options Allow-From in nginx correctly
- Replacing X-Frame-Options with CSP
- Security difference between X-Frame-Options and Content-Security-Policy headers?
- How to fix Safari ignoring Content-Security-Policy when X-Frame-Options are specified on Apache?
- Content Security Policy, X-Frame-Options, and localhost
- X-Frame Options set as "DENY DENY"
- What's the point of the X-Frame-Options header?
- X-Frame-Options and Content-Security-Policy for frames in Firefox
- Understanding HTTP header X-Frame-Options
- How useful is the X-Frame-Options header in protecting against malicious framing?