Does Content-Security-Policy
ignore X-Frame-Options
, returned by a server, or is X-Frame-Options
still primary?
Assuming that I ha
The answer was found by testing in practice.
I have created two web-sites and reproduced the described situation.
It seems like X-Frame-Options is primary.
If target server denies framing, then client website cannot display this page in iframe
whichever values of Content-Security-Policy
are set.
However, I haven't found any confirmations in documentation.
Tested on Chrome 54 and IE 11.
None of your hypotheses are universally true.
X-Frame-Options
.frame-ancestors
.frame-ancestors
directive, but prioritize X-Frame-Options
if both are specified.The frame-src CSP directive (which is deprecated and replaced by child-src
) determines what sources can be used in a frame on a page.
The X-Frame-Options
response header, on the other hand, determines what other pages can use that page in an iframe.
In your case, http://a.com
with X-Frame-Options: DENY
indicates that no other page can use it in a frame. It does not matter what http://b.com
has in its CSP -- no page can use http://a.com
in a frame.
The place where X-Frame-Options
intersects with CSP is via the frame-ancestors directive. From the CSP specificiation (emphasis mine):
This directive is similar to the
X-Frame-Options
header that several user agents have implemented. The'none'
source expression is roughly equivalent to that header’sDENY
,'self'
toSAMEORIGIN
, and so on. The major difference is that many user agents implementSAMEORIGIN
such that it only matches against the top-level document’s location. This directive checks each ancestor. If any ancestor doesn’t match, the load is cancelled. [RFC7034]The
frame-ancestors
directive obsoletes theX-Frame-Options
header. If a resource has both policies, theframe-ancestors
policy SHOULD be enforced and theX-Frame-Options
policy SHOULD be ignored.
An older question indicated this did not work in Firefox at that time but hopefully things have changed now.
Content Security Policy: Directive ‘child-src’ has been deprecated. Please use directive ‘worker-src’ to control workers, or directive ‘frame-src’ to control frames respectively.
Looks like child-src
is now the deprecated one and frame-src
is back.