zilcuanu
Reputation: 3715
Replacing X-Frame-Options with CSP
I am migrating from X-Frame-Options to Content Security Policy to fix the click-jacking vulnerability. My application used to set the SAMEORIGIN policy in hte X-Frame-Options header. What is the equivalent option in Content-Security-Policy?
Upvotes: 9
Views: 5927
Answers (1)
sideshowbarker
Reputation: 88296
X-Frame-Options: SAMEORIGIN➡Content-Security-Policy: frame-ancestors 'self'X-Frame-Options: DENY➡Content-Security-Policy: frame-ancestors 'none'
See also https://w3c.github.io/webappsec-csp/#frame-ancestors-and-frame-options
Upvotes: 14
Related Questions
- How do I allow a iframe with a content security policy (CSP)
- Security difference between X-Frame-Options and Content-Security-Policy headers?
- Content Security Policy directive: “frame-ancestors” missing but there?
- CSP: frame-src violation with empty blocked-uri
- How to fix Safari ignoring Content-Security-Policy when X-Frame-Options are specified on Apache?
- How does Content-Security-Policy work with X-Frame-Options?
- CSP: child-src and frame-src deprecated
- Content Security Policy, X-Frame-Options, and localhost
- X-Frame-Options and Content-Security-Policy for frames in Firefox
- Multiple frame ancestors in CSP overriten by X FRAME option