问题
Does Content-Security-Policy
ignore X-Frame-Options
, returned by a server, or is X-Frame-Options
still primary?
Assuming that I have:
- a website http://a.com with
X-Frame-Options: DENY
- and a website http://b.com with
Content-Security-Policy: frame-src a.com
will browser load this frame?
It is unclear.
On the one hand, http://a.com explicitly denies framing.
On the other hand, http://b.com explicitly allows framing for http://a.com.
回答1:
The frame-src CSP directive (which is deprecated and replaced by child-src
) determines what sources can be used in a frame on a page.
The X-Frame-Options
response header, on the other hand, determines what other pages can use that page in an iframe.
In your case, http://a.com
with X-Frame-Options: DENY
indicates that no other page can use it in a frame. It does not matter what http://b.com
has in its CSP -- no page can use http://a.com
in a frame.
The place where X-Frame-Options
intersects with CSP is via the frame-ancestors directive. From the CSP specificiation (emphasis mine):
This directive is similar to the
X-Frame-Options
header that several user agents have implemented. The'none'
source expression is roughly equivalent to that header’sDENY
,'self'
toSAMEORIGIN
, and so on. The major difference is that many user agents implementSAMEORIGIN
such that it only matches against the top-level document’s location. This directive checks each ancestor. If any ancestor doesn’t match, the load is cancelled. [RFC7034]The
frame-ancestors
directive obsoletes theX-Frame-Options
header. If a resource has both policies, theframe-ancestors
policy SHOULD be enforced and theX-Frame-Options
policy SHOULD be ignored.
An older question indicated this did not work in Firefox at that time but hopefully things have changed now.
UPDATE April 2018:
Content Security Policy: Directive ‘child-src’ has been deprecated. Please use directive ‘worker-src’ to control workers, or directive ‘frame-src’ to control frames respectively.
Looks like child-src
is now the deprecated one and frame-src
is back.
回答2:
None of your hypotheses are universally true.
- Chrome ignores
X-Frame-Options
. - Safari 9 and below ignore CSP
frame-ancestors
. - Safari 10-12 respect the CSP
frame-ancestors
directive, but prioritizeX-Frame-Options
if both are specified.
回答3:
The answer was found by testing in practice.
I have created two web-sites and reproduced the described situation.
It seems like X-Frame-Options is primary.
If target server denies framing, then client website cannot display this page in iframe
whichever values of Content-Security-Policy
are set.
However, I haven't found any confirmations in documentation.
Tested on Chrome 54 and IE 11.
来源:https://stackoverflow.com/questions/40373771/how-does-content-security-policy-work-with-x-frame-options