Opened 10 years ago
Last modified 5 years ago
#29429 reopened enhancement
Support frame-ancestors directive over X-Frame-Options
Reported by: | danielbachhuber | Owned by: | |
---|---|---|---|
Milestone: | Future Release | Priority: | normal |
Severity: | normal | Version: | |
Component: | Security | Keywords: | dev-feedback has-patch |
Focuses: | Cc: |
Description
According to MDN, X-Frame-Options
is deprecated: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
frame-ancestors
should be used instead.
Previously #12293
Attachments (1)
Change History (7)
#1
@
10 years ago
- Milestone changed from Awaiting Review to Future Release
- Type changed from defect (bug) to enhancement
#7
@
5 years ago
- Keywords has-patch added; needs-patch removed
I looked for any other use of X-Frame-Options - but it only appears in two spots. The customize manager class already provides both headers. This is a change to the send_frame_options_header()
. Testing in the WP admin shows both headers being issued, no change to behavior from what I can tell using the latest Chrome. The original header is being kept for continued security benefit in older browsers.
Here is my repo's pull request if needed:
Note: See
TracTickets for help on using
tickets.
We'd need to do at a minimum both to support older browsers.