orbiteleven
Reputation: 980
Content Security Policy, X-Frame-Options, and localhost
Kind of a 101 question about X-Frame-Options and/or Content-Security-Policy: frame-ancestors: if one intends to develop an application using iframed production sites (on which I can adjust headers) on a local machine, would they have to add localhost to frame-ancestors in the Content-Security-Policy? Will X-Frame-Options SAMEORIGIN not work at all?
Upvotes: 4
Views: 4052
Answers (1)
oreoshake
Reputation: 4898
You would want to strip those headers from the framed response so they don't prevent rendering.
Locally, the only thing that applies would be frame-src coming in the localhost response allowing you to embed your production sites (not setting csp at all would also work).
Upvotes: 3
Related Questions
- How can I set 'X-Frame-Options' on an iframe?
- Overcoming "Display forbidden by X-Frame-Options"
- How to set X-Frame Options to ALLOW-FROM https://example.com and SAMEORIGIN on server
- Replacing X-Frame-Options with CSP
- Request for more experienced eyes to check for x-frame-options
- How does Content-Security-Policy work with X-Frame-Options?
- Refused to display in a frame
- X-Frame-Options and frames
- X-Frame-Options and Content-Security-Policy for frames in Firefox
- Refused to display a website in a frame because of its 'X-Frame-Options'