Security difference between X-Frame-Options and Content-Security-Policy headers? - McMap

About

Security difference between X-Frame-Options and Content-Security-Policy headers?

Asked 19/3, 2016 at 8:33 Answered 19/3, 2016 at 11:42

Solved security http http-headers content-security-policy x-frame-options

U

1

9

These HTTP headers seem to do the same thing, albeit with the latter having a bit more flexibility.

Is there any additional security that the Content-Security-Policy offers?

Unbeknown answered 19/3, 2016 at 8:33 Comment(0)

A

9

X-FRAME-OPTIONS allow you to protect your site from being framed in other sites.

For example X-FRAME-OPTIONS: SAMEORIGIN allows your site to be embedded in an iframe on the same domain only. It's needed to prevent clickjacking attacks.

But Content-Security-Policy has completely different purpose. Specification of CSP says that:

Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application inform the client about the sources from which the application expects to load resources.

So its main purpose is to protect your site from XSS attacks on your users, by not allowing browsers to loader resources (scripts, etc.) from unknown domains.

Aggi answered 19/3, 2016 at 11:42 Comment(3)

CSP 2's frame-ancestors has some overlap with X-FRAME-OPTIONS as this too prevents framing and clickjacking attacks. – Bullough 20/3, 2016 at 13:13

The CSP 2 spec actually explicitly states that it deprecates and replaces X-Frame-Options. Not just overlap. – Rebellion 25/3, 2016 at 17:23

@ant: In a practical sense it does overlap as browser support catches up. You will need both to support old browsers until your userbase has migrated. – Bullough 27/3, 2016 at 23:21

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.