Reputation: 3715
I am migrating from X-Frame-Options to Content Security Policy to fix the click-jacking vulnerability. My application used to set the SAMEORIGIN
policy in hte X-Frame-Options
header. What is the equivalent option in Content-Security-Policy
?
Upvotes: 9
Views: 5927
Reputation: 88296
X-Frame-Options: SAMEORIGIN
➡ Content-Security-Policy: frame-ancestors 'self'
X-Frame-Options: DENY
➡ Content-Security-Policy: frame-ancestors 'none'
See also https://w3c.github.io/webappsec-csp/#frame-ancestors-and-frame-options
Upvotes: 14