We should consider setting a default frame-ancestors directive for the Content Security Policy. The frame-ancestors directive is the new iteration of the X-Frame-Options header, and as such setting a directive in both spots might be prudent.
|
style_src: %w('self' https: 'unsafe-inline') |
Since our default XFO policy is sameorigin, if we decide to take upon this task, we should set the default frame-ancestors value to be self.
Some counterpoints: setting both the X-Frame-Options and the frame-ancestors directive will cause the XFO header to be overriden by the frame-ancestors directive. This means that if a user is trying to change some framing functionality, and only changes the XFO header, they might be confused as to why the functionality didn't actually change.
We should consider setting a default
frame-ancestorsdirective for the Content Security Policy. Theframe-ancestorsdirective is the new iteration of the X-Frame-Options header, and as such setting a directive in both spots might be prudent.secure_headers/lib/secure_headers/headers/content_security_policy_config.rb
Line 97 in b134eef
Since our default XFO policy is
sameorigin, if we decide to take upon this task, we should set the defaultframe-ancestorsvalue to beself.Some counterpoints: setting both the
X-Frame-Optionsand theframe-ancestorsdirective will cause the XFO header to be overriden by the frame-ancestors directive. This means that if a user is trying to change some framing functionality, and only changes the XFO header, they might be confused as to why the functionality didn't actually change.