Support frame-ancestors directive over X-Frame-Options

[danielbachhuber]

According to MDN, X-Frame-Options is deprecated: ​https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

frame-ancestors should be used instead.

Previously #12293

[nacin]

We'd need to do at a minimum both to support older browsers.

[iandunn]

Re-opening because this still seems relevant.

[killerbishop]

Patch for 29429 - adds CSP frame-ancestors self policy

[killerbishop]

I looked for any other use of X-Frame-Options - but it only appears in two spots. The customize manager class already provides both headers. This is a change to the send_frame_options_header(). Testing in the WP admin shows both headers being issued, no change to behavior from what I can tell using the latest Chrome. The original header is being kept for continued security benefit in older browsers.

Here is my repo's pull request if needed:

​https://github.com/killerbishop/wordpress-develop/pull/2

[callumbw95]

Hey Everyone,

I have just taken a look into this, and it looks like the previous PR can be added without any real issues. However to make it clearer I have put this change into a .patch file which I will attach shortly. I think this is a pretty low risk patch, and would definitely be a positive to get merged into core at some point in the coming milestones, but perhaps we need a second opinion here?

[callumbw95]

Updated patch with code from a previous PR

https://core.trac.wordpress.org/ticket/29429

My original concern was the lack of a headers_sent() in the send_frame_options_header() function, but after having found 29429 I think it makes sense to do both at the same time.

[josephscott]

frame-ancestors and headers_sent check

[josephscott]

My original concern regarding the send_frame_options_header() function was the lack of a headers_sent() check. But having found this ticket, and both changes being very small, I think it makes sense to do them both at the same time.

[SergeyBiryukov]

Replying to danielbachhuber:

According to MDN, X-Frame-Options is deprecated: ​https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

frame-ancestors should be used instead.

It appears that X-Frame-Options is no longer marked as deprecated as of January 2025:

• ​mdn/browser-compat-data: Undeprecate X-Frame-Options #25663
• ​mdn/content: Tone down X-Frame-Options warning #37774

That said, adding Content-Security-Policy: frame-ancestors still makes sense to me.

[SergeyBiryukov]

In 60657:

Security: Set the frame-ancestors directive in send_frame_options_header().

The X-Frame-Options HTTP response header is a way of controlling whether and how a document may be loaded inside of a child navigable. For sites using Content-Security-Policy, the frame-ancestors directive provides more granular control over the same situations.

Includes adding a headers_sent() check before sending the headers.

References:

• ​MDN Web Docs: X-Frame-Options header
• ​MDN Web Docs: Content-Security-Policy: frame-ancestors directive

Follow-up to [17826].

Props danielbachhuber, killerbishop, callumbw95, josephscott, nacin, chriscct7, iandunn, SergeyBiryukov.
Fixes #29429.