How to use frame-src and child-src in Firefox and other browsers?

Question

The MDN page on Content Security Policy directives states the frame-src is deprecated and child-src should be used. However, Firefox 37 gives the following error message whe

Answer 1

Update: Jan 2017:

Stop using child-src and begin using frame-src again.

In an effort to create even more confusion, CSP Level 3 has undeprecated frame-src and actually re-appointed it as the preferred way to achieve this. While child-src is still supported frame-src is once again preferred.

---

Old post

frame-src is deprecated, but it was only recently made so in CSP Level 2 and not all browsers are up to the latest version of the spec.

The best approach at the moment for maximum browser compatibility is to include both child-src and frame-src with identical values. Browsers that only support the original CSP specification will use frame-src while newer ones will use child-src.

That developer console warning is of no consequence and merely informational. I would suggest you ignore it for now, because a year from now you may very well see one saying that frame-src is deprecated.

At this time, I ensure both are used when this is needed and intend to stop providing frame-src in January of 2017.

CSP Level 2 support:

• Firefox - Pending
• Chrome - 40+
• Opera - 27+
• Microsoft Edge - Pending
• Safari - 10+