Deprecate X-Frame-Options and instead recommend CSP "frame-ancestors"
Closed this issue · 4 comments
securityheaders.com recommends X-Frame-Options while is deprecated and replaced with CSP "frame-ancestors" https://www.w3.org/TR/CSP2/#frame-ancestors-and-frame-options
It is a part of CSP Level 2 and supported on all browsers, expect deprecated IE.
XFO isn't actually deprecated but we could try and do some smart detection to not require XFO if we detect frame-ancestors.
@ScottHelme https://www.ietf.org/rfc/rfc7034.txt says
And, given that the "X-" construction is deprecated
[RFC6648], the X-Frame-Options header field will be replaced in the
future by the Frame-Options directive in the Content Security Policy
(CSP) version 1.1 [CSP-1-1].
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
X-Frame-Options Deprecated While the X-Frame-Options header is supported by the major browsers, it was never standardized and has been deprecated in favour of the frame-ancestors directive from the CSP Level 2 specification.
https://developers.google.com/web/updates/2016/06/chrome-52-deprecations
Remove support for X-Frame-Options in tags
Too early me thinks. There is limited upside to removing this at the moment and plenty of downside (requires CSP, will leave to noise on Pen Tests, is more widely supported by older browsers...etc.).
As regards your citations:
- The first states that, while X- construction has been deprecated, X-Frame-options will be replaced (not that it has).
- The second admittedly states it has been deprecated - though mostly seems in concern of support of the ALLOW-FROM directive.
- The third states it will be deprecated from the META tag - not as a HTTP header.
I would suggest instead alerting if ALLOW-FROM is used in the policy since suport is limited and inconsistent.
XFO is not deprecated so we will keep it for now.