On 02/03/2010 01:21 AM, Paul Stone wrote: > I've read through the spec at https://wiki.mozilla.org/Security/CSP/Spec > (which I believe is the most up to date version), and I believe that > the following is equivalent to X-Frame-Options: SameOrigin: > > X-Content-Security-Policy: allow *; options inline-script eval-script; > frame-ancestors 'self';
That is correct. > The only thing I'm not 100% sure about is whether this allows data: > URIs, though I'm pretty sure that the 'allow *' part takes care of > that. Maybe someone more familiar with the spec could confirm this. That is also correct. "allow *" permits data: URLs to be used as valid sources for all content types. > When CSP does finally go into Firefox, I think the X-Frame-Options > header should be supported as well, since many sites are already using > it, and it's a lot simpler than the equivalent CSP directive above. I agree that Firefox should support X-Frame-Options. It should be trivial to support now with the plumbing we added for CSP. > If this was the case, then I guess the CSP spec should be updated to > define the behaviour if both headers are specified at the same time > (I'm guessing they would be intersected in the same way as multiple > CSP headers). I'm not sure this is necessary. Couldn't the two specs be considered orthogonal? X-F-O will either block the frame or not, and same for X-CSP. So if one or both say block, then we block, otherwise we allow. Cheers, Brandon _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
