Multiple frame ancestors in CSP overriten by X FRAME option

949 views Asked by At

I am having some issues setting security policies for my UI which can be framed by more than one site. I am setting CSP policy with multiple frame ancestors. Adding XFrame option is mandated so if I leave it empty the parent class rendering all UIs will add XFO SAMEORIGIN which contradicts with CSP frame ancestors.

One option is to use ALLOWALL but that is not supported widely. Is there any other way I can set an X Frame Option but allow from multiple Uris?

1

There are 1 answers

0
oreoshake On

If you supply an invalid value, X-Frame-Options will basically be ignored allowing this to fallback to the frame ancestors you are providing.

Since it can be any value, have fun:

X-Frame-Options: totally chill