How does Content-Security-Policy work with X-Frame-Options?
HttpHttp HeadersContent Security-PolicyX Frame-OptionsHttp Problem Overview
Does Content-Security-Policy
ignore X-Frame-Options
, returned by a server, or is X-Frame-Options
still primary?
Assuming that I have:
- a website http://a.com with
X-Frame-Options: DENY
- and a website http://b.com with
Content-Security-Policy: frame-src a.com
will browser load this frame?
It is unclear.
On the one hand, http://a.com explicitly denies framing.
On the other hand, http://b.com explicitly allows framing for http://a.com.
Http Solutions
Solution 1 - Http
The frame-src
CSP directive (which is deprecated and replaced by child-src
) determines what sources can be used in a frame on a page.
The X-Frame-Options
response header, on the other hand, determines what other pages can use that page in an iframe.
In your case, http://a.com
with X-Frame-Options: DENY
indicates that no other page can use it in a frame. It does not matter what http://b.com
has in its CSP -- no page can use http://a.com
in a frame.
The place where X-Frame-Options
intersects with CSP is via the frame-ancestors
directive. From the CSP specificiation (emphasis mine):
> This directive is similar to the X-Frame-Options
header that several
> user agents have implemented. The 'none'
source expression is
> roughly equivalent to that header’s DENY
, 'self'
to SAMEORIGIN
,
> and so on. The major difference is that many user agents implement
> SAMEORIGIN
such that it only matches against the top-level
> document’s location. This directive checks each ancestor. If any
> ancestor doesn’t match, the load is cancelled. [RFC7034]
>
> The frame-ancestors
directive obsoletes the X-Frame-Options
header. If a resource has both policies, the frame-ancestors
policy SHOULD be enforced and the X-Frame-Options
policy SHOULD be ignored.
An older question indicated this did not work in Firefox at that time but hopefully things have changed now.
#UPDATE April 2018:
> Content Security Policy: Directive ‘child-src’ has been deprecated. Please use directive ‘worker-src’ to control workers, or directive ‘frame-src’ to control frames respectively.
Looks like child-src
is now the deprecated one and frame-src
is back.
Solution 2 - Http
None of your hypotheses are universally true.
- Chrome ignores
X-Frame-Options
. - Safari 9 and below ignore CSP
frame-ancestors
. - Safari 10-12 respect the CSP
frame-ancestors
directive, but prioritizeX-Frame-Options
if both are specified.
Solution 3 - Http
The answer was found by testing in practice.
I have created two web-sites and reproduced the described situation.
It seems like X-Frame-Options is primary.
If target server denies framing, then client website cannot display this page in iframe
whichever values of Content-Security-Policy
are set.
However, I haven't found any confirmations in documentation.
Tested on Chrome 54 and IE 11.