How to fix Safari ignoring Content-Security-Policy when X-Frame-Options are specified on Apache?

Question

I was struggling with my iframe from another domain not being loaded properly on Safari and did not know what to do. Problem is that Safari 12 as of January 2019 still prioritizes X-Frame-Options over Content-Security-Policy.

I had the following config in .htaccess:

Header always append X-Frame-Options SAMEORIGIN
Header always append Content-Security-Policy "frame-ancestors 'self' *.master-domain.com *.alternative-domain.com"

and while this worked perfectly in Firefox, Chrome and even Edge (all just ignore the now deprecated X-Frame-Options when feature richer Content-Security-Policy is sent), Safari for some reason will choose to prioritise the old X-Frame-Options. Moreover, Safari will itself consider default X-Frame-Options: DENY , not allowing all like other browsers. This makes it virtually impossible to make an iframe loadable in Safari across multiple domains.

score 2 · Accepted Answer · answered Jan 31 '19 at 15:11

The best fix is to remove header for Safari only using BrowserMatch and conditional Header syntax

BrowserMatch "Safari" ISSAFARIBROWSER
Header always append X-Frame-Options SAMEORIGIN
Header always unset X-Frame-Options env=ISSAFARIBROWSER
Header always append Content-Security-Policy "frame-ancestors 'self' *.master-domain.com *.alternative-domain.com"

How to fix Safari ignoring Content-Security-Policy when X-Frame-Options are specified on Apache?

1 Answers1