How does Content-Security-Policy work with X-Frame-Options?

HttpHttp HeadersContent Security-PolicyX Frame-Options

Http Problem Overview

Does Content-Security-Policy ignore X-Frame-Options, returned by a server, or is X-Frame-Options still primary?

Assuming that I have:

  • a website http://a.com with X-Frame-Options: DENY
  • and a website http://b.com with Content-Security-Policy: frame-src a.com

will browser load this frame?

It is unclear.
On the one hand, http://a.com explicitly denies framing.
On the other hand, http://b.com explicitly allows framing for http://a.com.

Http Solutions

Solution 1 - Http

The frame-src CSP directive (which is deprecated and replaced by child-src) determines what sources can be used in a frame on a page.

The X-Frame-Options response header, on the other hand, determines what other pages can use that page in an iframe.

In your case, http://a.com with X-Frame-Options: DENY indicates that no other page can use it in a frame. It does not matter what http://b.com has in its CSP -- no page can use http://a.com in a frame.

The place where X-Frame-Options intersects with CSP is via the frame-ancestors directive. From the CSP specificiation (emphasis mine):

> This directive is similar to the X-Frame-Options header that several > user agents have implemented. The 'none' source expression is > roughly equivalent to that header’s DENY, 'self' to SAMEORIGIN, > and so on. The major difference is that many user agents implement > SAMEORIGIN such that it only matches against the top-level > document’s location. This directive checks each ancestor. If any > ancestor doesn’t match, the load is cancelled. [RFC7034] > > The frame-ancestors directive obsoletes the X-Frame-Options header. If a resource has both policies, the frame-ancestors policy SHOULD be enforced and the X-Frame-Options policy SHOULD be ignored.

An older question indicated this did not work in Firefox at that time but hopefully things have changed now.

#UPDATE April 2018:

> Content Security Policy: Directive ‘child-src’ has been deprecated. Please use directive ‘worker-src’ to control workers, or directive ‘frame-src’ to control frames respectively.

Looks like child-src is now the deprecated one and frame-src is back.

Solution 2 - Http

None of your hypotheses are universally true.

  • Chrome ignores X-Frame-Options.
  • Safari 9 and below ignore CSP frame-ancestors.
  • Safari 10-12 respect the CSP frame-ancestors directive, but prioritize X-Frame-Options if both are specified.

Solution 3 - Http

The answer was found by testing in practice.
I have created two web-sites and reproduced the described situation.

It seems like X-Frame-Options is primary.
If target server denies framing, then client website cannot display this page in iframe whichever values of Content-Security-Policy are set.

However, I haven't found any confirmations in documentation.

Tested on Chrome 54 and IE 11.

Categories
Recommended Http Solutions
Recommended Http Headers Solutions
Recommended Content Security-Policy Solutions

Previous Solution:

Cannot find module 'internal/fs' after upgrading to node 7

Javascriptnode.jsNpmGruntjsBower

Next Solution:

Can '\0' and NULL be used interchangeably?

C++Null

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionYeldar KurmangaliyevView Question on Stackoverflow
Solution 1 - HttpAnand BhatView Answer on Stackoverflow
Solution 2 - HttpNIRUPAM TEWARYView Answer on Stackoverflow
Solution 3 - HttpYeldar KurmangaliyevView Answer on Stackoverflow