Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

CSP equivalent of X-Frame-Options

60 views
Skip to first unread message

Paul Stone

unread,
Feb 2, 2010, 7:13:19 AM2/2/10
to
What CSP header would be the exact equivalent of X-Frame-Options: Deny
or X-Frame-Options: SameOrigin?

CSP denies pretty much everything by default, and restrictions like
'no inline scripts' would prevent a majority of today's websites
working without big changes being made. What CSP declaration would re-
enable everything that is denied by default but prevent a site from
being framed in the same manner as X-Frame-Options?

EricLaw

unread,
Feb 2, 2010, 9:41:20 AM2/2/10
to

In CSP, you specify the frame-ancestors to control who may embed your
document: http://people.mozilla.org/~bsterne/content-security-policy/details.html#frame-ancestors

As for the policy of turning everything else back on, I'm not exactly
sure how that's done, but I'm sure it's in that same document.

Paul Stone

unread,
Feb 3, 2010, 4:21:13 AM2/3/10
to
I've read through the spec at https://wiki.mozilla.org/Security/CSP/Spec
(which I believe is the most up to date version), and I believe that
the following is equivalent to X-Frame-Options: SameOrigin:

X-Content-Security-Policy: allow *; options inline-script eval-script;
frame-ancestors 'self';

The only thing I'm not 100% sure about is whether this allows data:
URIs, though I'm pretty sure that the 'allow *' part takes care of
that. Maybe someone more familiar with the spec could confirm this.

When CSP does finally go into Firefox, I think the X-Frame-Options
header should be supported as well, since many sites are already using
it, and it's a lot simpler than the equivalent CSP directive above.

If this was the case, then I guess the CSP spec should be updated to
define the behaviour if both headers are specified at the same time
(I'm guessing they would be intersected in the same way as multiple
CSP headers).


On Feb 2, 2:41 pm, EricLaw <bay...@gmail.com> wrote:
> On Feb 2, 4:13 am, Paul Stone <stoned...@gmail.com> wrote:
>
> > What CSP header would be the exact equivalent of X-Frame-Options: Deny
> > or X-Frame-Options: SameOrigin?
>
> > CSP denies pretty much everything by default, and restrictions like
> > 'no inline scripts' would prevent a majority of today's websites
> > working without big changes being made. What CSP declaration would re-
> > enable everything that is denied by default but prevent a site from
> > being framed in the same manner as X-Frame-Options?
>
> In CSP, you specify the frame-ancestors to control who may embed your

> document:http://people.mozilla.org/~bsterne/content-security-policy/details.ht...

Brandon Sterne

unread,
Feb 3, 2010, 1:15:56 PM2/3/10
to Paul Stone, dev-se...@lists.mozilla.org
On 02/03/2010 01:21 AM, Paul Stone wrote:
> I've read through the spec at https://wiki.mozilla.org/Security/CSP/Spec
> (which I believe is the most up to date version), and I believe that
> the following is equivalent to X-Frame-Options: SameOrigin:
>
> X-Content-Security-Policy: allow *; options inline-script eval-script;
> frame-ancestors 'self';

That is correct.

> The only thing I'm not 100% sure about is whether this allows data:
> URIs, though I'm pretty sure that the 'allow *' part takes care of
> that. Maybe someone more familiar with the spec could confirm this.

That is also correct. "allow *" permits data: URLs to be used as valid
sources for all content types.

> When CSP does finally go into Firefox, I think the X-Frame-Options
> header should be supported as well, since many sites are already using
> it, and it's a lot simpler than the equivalent CSP directive above.

I agree that Firefox should support X-Frame-Options. It should be
trivial to support now with the plumbing we added for CSP.

> If this was the case, then I guess the CSP spec should be updated to
> define the behaviour if both headers are specified at the same time
> (I'm guessing they would be intersected in the same way as multiple
> CSP headers).

I'm not sure this is necessary. Couldn't the two specs be considered
orthogonal? X-F-O will either block the frame or not, and same for
X-CSP. So if one or both say block, then we block, otherwise we allow.

Cheers,
Brandon

Paul Stone

unread,
Feb 4, 2010, 5:12:21 AM2/4/10
to
> I agree that Firefox should support X-Frame-Options. It should be
> trivial to support now with the plumbing we added for CSP.

There is a slight difference between X-F-O: SameOrigin and the CSP
equivalent above. X-F-O only checks the origin of the out-most page,
whereas CSP checks every frame along the way.

> I'm not sure this is necessary. Couldn't the two specs be considered
> orthogonal? X-F-O will either block the frame or not, and same for
> X-CSP. So if one or both say block, then we block, otherwise we allow.

Good point. I'm looking forward to trying out CSP when it lands on the
trunk. I see various patches are being reviewed so hopefully it won't
be long now.

0 new messages