X-Frame-Options and Content-Security-Policy for frames in Firefox
Asked Answered
B

1

6

Content Security Policy specification says

The frame-ancestors directive obsoletes the X-Frame-Options header. If a resource has both policies, the frame-ancestors policy SHOULD be enforced and the X-Frame-Options policy SHOULD be ignored.

So from my understanding if both Content-Security-Policy and X-Frame-Options headers are present, then X-Frame-Options should be ignored.

I have a web app with both headers, and looks like Firefox 38 is ignores Content-Security-Policy header and uses X-Frame-Options header instead.

My sample headers are:

Content-Security-Policy:frame-ancestors 'self' local.com *.local.com 
X-Frame-Options:Allow-From http://local.com

I want that my frame should be accessed from local.com and all subdomains. Local.com is just example. If X-Frame-Options header is present, then it allows just http://local.com, but if i remove it, then Firefox uses Content-Security-Policy header and works fine for domain and subdomains.

Does it mean that Firefox isn't implementing this part? Or it's just too new specification and Firefox doesn't implement it yet? Is there any other way to force Content-Security-Policy header usage?

I know that Chrome works fine with Content-Security-Policy and IE can work just with X-Frame-Options, but looks like i can't combine both headers, as Firefox works not in right way.

One possible way is to sent X-Frame-Options just for IE, and Content-Security-Policy for all other, but is there a better way?

Thanks!

Boathouse answered 23/6, 2015 at 22:29 Comment(0)
D
5

frame-ancestors only appeared in CSP Level 2 (see the changelog) so it's very likely that Firefox 38 just hasn't implemented it yet.

You can verify that quite easily by watching the JavaScript console - the browser will display warnings about each of the CSP directives it doesn't understand.

You can also download Firefox from the beta channel and see if it makes difference, but obviously it won't help much if you just want to build a interoperable solution for production website...

Debar answered 24/6, 2015 at 7:5 Comment(5)
I thought that it's a new one, but hoped that i missed something. So looks like i would need to send headers based on browser. Thanks for the answer!Boathouse
Firefox 47.0 -- the sameNodule
Same on Firefox 50.1 - apparently Mozilla hasn't implemented the official CSP spec yet. :/Myrtismyrtle
There is a bug at bugzilla.mozilla.org/show_bug.cgi?id=1024557 for this, vote for it to get it pushed through.Plating
on a similar note, chrome won't implement the "X-Frame-Options:Allow-From", see bugs.chromium.org/p/chromium/issues/detail?id=129139Sassan

© 2022 - 2024 — McMap. All rights reserved.