X-Frame-Options alert
24 views
Skip to first unread message
rshte...@gmail.com
Mar 2, 2021, 3:45:07 AM3/2/21
to OWASP ZAP User Group
Hi All,
I see that X-Frame-Options alert is valid only for old browsers like IE and is not supported in Chrome and Firefox. If I use Content-Security-Policy with valid urls is it enough? and I just set the X-Frame-Options alert as a false positive?
Thanks.
Ronen
kingthorin+owaspzap
Mar 2, 2021, 6:55:18 AM3/2/21
to OWASP ZAP User Group
The X-Frame-Options scan rule does check if the CSP contains the frame-ancestors directive. So if it's popping then you still have an issue.
I'm not sure what makes you think it's only valid for old browsers, all modern browsers have supported XFO for a long time.
Reply all
Reply to author
Forward
0 new messages