Content Security Policy specification says
The frame-ancestors directive obsoletes the X-Frame-Options header. If a resource has both policies, the frame-ancestors policy SHOULD be enforced and the X-Frame-Options policy SHOULD be ignored.
So from my understanding if both Content-Security-Policy
and X-Frame-Options
headers are present, then X-Frame-Options
should be ignored.
I have a web app with both headers, and looks like Firefox 38 is ignores Content-Security-Policy
header and uses X-Frame-Options
header instead.
My sample headers are:
Content-Security-Policy:frame-ancestors 'self' local.com *.local.com
X-Frame-Options:Allow-From http://local.com
I want that my frame should be accessed from local.com and all subdomains. Local.com is just example. If X-Frame-Options
header is present, then it allows just http://local.com, but if i remove it, then Firefox uses Content-Security-Policy
header and works fine for domain and subdomains.
Does it mean that Firefox isn't implementing this part? Or it's just too new specification and Firefox doesn't implement it yet? Is there any other way to force Content-Security-Policy
header usage?
I know that Chrome works fine with Content-Security-Policy
and IE can work just with X-Frame-Options
, but looks like i can't combine both headers, as Firefox works not in right way.
One possible way is to sent X-Frame-Options
just for IE, and Content-Security-Policy
for all other, but is there a better way?
Thanks!
frame-ancestors
only appeared in CSP Level 2 (see the changelog) so it's very likely that Firefox 38 just hasn't implemented it yet.
You can verify that quite easily by watching the JavaScript console - the browser will display warnings about each of the CSP directives it doesn't understand.
You can also download Firefox from the beta channel and see if it makes difference, but obviously it won't help much if you just want to build a interoperable solution for production website...