X-Frame-Options don't mention anything about CSP
summercms opened this issue · 5 comments
Google and a few others have said they stopped using the X-Frame-Options header a while ago and that users should switch over to using CSP.
See here link (Google dropped support in Chrome 52): https://developers.google.com/web/updates/2016/06/chrome-52-deprecations#remove_support_for_x-frame-options_in_tags
It contains the following link: https://owasp.org/www-community/Clickjacking
Which I quote:
Sending the proper Content Security Policy (CSP) frame-ancestors directive response headers that instruct the browser to not allow framing from other domains. (This replaces the older X-Frame-Options HTTP headers.)
Link: https://www.w3.org/TR/CSP3/#directive-frame-ancestors
There is no mention of that in the X-Frame-Options section! File location here: https://github.com/h5bp/server-configs-apache/blob/master/src/security/x-frame-options.conf
What I'm saying is, you say it in the csp section, but you should also mention it in the X-Frame-Options section as well.
See here what response I got regarding it securityheaders/securityheaders-bugs#54
Thanks for opening this issue @ayumi-cloud.
Please use the search feature before opening a new issue, in our case you can find a review of X-Frame-Options in #154.
Closing as duplicate.
@LeoColomb See image:
There is no duplicate issue here!
I'm saying you give NO MENTION OF CSP IN YOUR DESCRIPTION HERE!
Please re-open this is a separate issue!
Well XFO is not CSP, so this is not that surprising...
Anyway, documentation is always improvable, don't hesitate to open a pull request with you suggestions.
Well XFO is not CSP, so this is not that surprising...
Strange as you wrote this:
superseded by for the CSP addition.
Comment link: #154 (comment)
I rather not submit a pull request for you. Instead we prefer just to hard fork this repo (due to poor management).