Currently, OWASP update the Header issue
To protect against Cross-Site Scripting, set the 'default-src' policy, or 'script-src' AND 'object-src' with proper values. Insecure values such as '*', 'data:', 'unsafe-inline', or 'unsafe-eval' should be avoided.
Protect against Cross-Frame Scripting or clickjacking, set the 'frame-ancestors' policy with proper values. Insecure values such as '*' or 'data:' should be avoided.
base-uri controls the protected resource’s ability to specify the document base URL.
child-src deprecates and replaces frame-src, controlling the protected resource’s ability to embed frame
Form-action controls the protected resource’s ability to submit forms
Frame ansector controls the protected resource’s ability be embedded in other documents.
A protected resource’s ability to load Workers is now controlled via child-src rather than script-src
Content-Security-Policy: frame-ancestors 'self';
To prevent all framing of your content use:
Content-Security-Policy: frame-ancestors 'none';
To allow for your site only, use:
Content-Security-Policy: frame-ancestors 'self';
<add name="Content-Security-Policy" value="frame-ancestors 'self' child-src 'self' *URL you website" />
Comments