How does Content-Security-Policy work with X-Frame-Options?

Asked 2/11, 2016 at 6:34 Answered 26/6, 2017 at 4:19

Solved http http-headers content-security-policy x-frame-options

Does Content-Security-Policy ignore X-Frame-Options, returned by a server, or is X-Frame-Options still primary?

Assuming that I have:

a website http://a.com with X-Frame-Options: DENY
and a website http://b.com with Content-Security-Policy: frame-src a.com

will browser load this frame?

It is unclear.
On the one hand, http://a.com explicitly denies framing.
On the other hand, http://b.com explicitly allows framing for http://a.com.

Greed answered 2/11, 2016 at 6:34 Comment(1)

Note that neither CSP nor XFO header blocks loading the site. The site will be loaded in that the request will be made. It's just that after loading it the browser will notice the headers and will not display the site inside a frame. – Ki 28/5, 2020 at 2:21

The frame-src CSP directive (which is deprecated and replaced by child-src) determines what sources can be used in a frame on a page.

The X-Frame-Options response header, on the other hand, determines what other pages can use that page in an iframe.

In your case, http://a.com with X-Frame-Options: DENY indicates that no other page can use it in a frame. It does not matter what http://b.com has in its CSP -- no page can use http://a.com in a frame.

The place where X-Frame-Options intersects with CSP is via the frame-ancestors directive. From the CSP specificiation (emphasis mine):

This directive is similar to the X-Frame-Options header that several user agents have implemented. The 'none' source expression is roughly equivalent to that header’s DENY, 'self' to SAMEORIGIN, and so on. The major difference is that many user agents implement SAMEORIGIN such that it only matches against the top-level document’s location. This directive checks each ancestor. If any ancestor doesn’t match, the load is cancelled. [RFC7034]

The frame-ancestors directive obsoletes the X-Frame-Options header. If a resource has both policies, the frame-ancestors policy SHOULD be enforced and the X-Frame-Options policy SHOULD be ignored.

An older question indicated this did not work in Firefox at that time but hopefully things have changed now.

UPDATE April 2018:

Content Security Policy: Directive ‘child-src’ has been deprecated. Please use directive ‘worker-src’ to control workers, or directive ‘frame-src’ to control frames respectively.

Looks like child-src is now the deprecated one and frame-src is back.

Tartarous answered 4/11, 2016 at 7:46 Comment(4)

"The frame-src CSP directive (which is deprecated and replaced by child-src)" - What is the source of this statement ? – Brandeebranden 2/5, 2017 at 9:25

w3.org/TR/CSP2/#directive-frame-src -- "The frame-src directive is deprecated. Authors who wish to govern nested browsing contexts SHOULD use the child-src directive instead." Looks like it is planned to be undeprecated in CSP3 -- developer.mozilla.org/en-US/docs/Web/HTTP/Headers/… and w3.org/TR/CSP/#directive-child-src – Tartarous 3/5, 2017 at 2:59

Yes, Firefox did not respect that, last time I checked was a few months ago, but now it works as expected. – Otolith 16/10, 2017 at 8:38

As far as I can tell now, neither child-src nor frame-src is deprecated in the current level 3 draft. If I understand correctly, child-src encompasses both frame-src and worker-src, but honestly, at this point, my brain is melting trying to figure out what's what. – Crankcase 12/9, 2019 at 16:15

None of your hypotheses are universally true.

Chrome ignores X-Frame-Options.
Safari 9 and below ignore CSP frame-ancestors.
Safari 10-12 respect the CSP frame-ancestors directive, but prioritize X-Frame-Options if both are specified.

Jerky answered 26/6, 2017 at 4:19 Comment(5)

This is true for Safari 11 and Safari 12 too. As of September 2018 X-Frame-Options is still prioritized over CSP. – Penta 19/9, 2018 at 20:6

@NathanCH, Yes, Exactly.. Safari12 prioritizing XFO over CSP. Now we are facing problem since we are using SFO-sameorigin and CSP both in our code as "X-FRAME-OPTIONS"--> SAMEORIGIN "Content-Security-Policy", "frame-ancestors 'self' *.abcd.net". How can we specify URL with SFO ? – Cutie 23/10, 2018 at 11:23

I need a citation on Chrome ignoring X-Frame-Options. The data I can find suggests it ignores ALLOW-FROM, but is fine for other values. – Chrestomathy 26/10, 2018 at 9:33

IOS Safari 13 ignores x-frame-options in favour of "CSP frame ancestors" – Peluso 26/9, 2019 at 5:54

Hi. At this moment moment in time, this answer is at least partly false, as X-Frame-Options is widely supported in literally all browsers, from what counts as ancient versions, even Internet Explorer 8 (!) – Woodwork 2/11, 2021 at 4:2

The answer was found by testing in practice.
I have created two web-sites and reproduced the described situation.

It seems like X-Frame-Options is primary.
If target server denies framing, then client website cannot display this page in iframe whichever values of Content-Security-Policy are set.

However, I haven't found any confirmations in documentation.

Tested on Chrome 54 and IE 11.

Greed answered 2/11, 2016 at 10:52 Comment(0)

UPDATE April 2018:

Recommended topics

Hot tags