1

I need to allow my web application to be iframed.

Both headers will be on the same response. This is different from How does Content-Security-Policy work with X-Frame-Options? which is referring to headers on both the parent page and the iframed page.

Currently, it has the x-frame-options set as sameorigin. I cannot modify this due to being inherited from a parent project. However, I am able to modify the Content-Security-Policy to add a frame ancestor so I can add the option I need to allow Iframing.

My headers will look like this

Content-Security-Policy: frame-ancestors https://theHostOfMyIframe.com
X-Frame-Options: SAMEORIGIN

My question is, will the CSP override the xframe option to allow my site to be iframed?

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
Navs
  • 119
  • 1
  • 17
  • Both headers will be on the same response. This is different from https://stackoverflow.com/questions/40373771/how-does-content-security-policy-work-with-x-frame-options – Navs Dec 20 '22 at 22:43
  • While, the question is slightly different, the accepted answer on that question does answer your question as well. – Thayne Dec 22 '22 at 07:43

0 Answers0