Friday, December 2, 2022

[FIXED] What is the current protection on an iframe site?

      , , , ,      No comments   

Issue

In different site I see different data about what mechanism protects against inserting an iframe. Tell me, is it possible that these are different levels of protection or are some of these outdated mechanisms?

  1. Same-origin policy prohibits opening an iframe of another domain
  2. At the same time, there is a Content-Security-Policy with the frame-ancestors directive
  3. And there is also X-Frame-Options: DENY

Solution

No, the Same-Origin Policy, by itself, doesn't prevent you from framing a document from another origin.

X-Frame-Options and CSP's frame-ancestors directive overlap as defences against cross-origin framing. Only the former is supported in old browsers, though. However, the latter is much more flexible. Also, in case both are present in a response, frame-ancestors takes precedence over X-Frame-Options in supporting browsers.

Finally, don't forget that you can sandbox an iframe in order to further isolate the framing document from the framed document.



Answered By - jub0bs
Answer Checked By - Pedro (PHPFixing Volunteer)

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...