Make WordPress Core

Opened 10 years ago

Last modified 5 years ago

#29429 reopened enhancement

Support frame-ancestors directive over X-Frame-Options

Reported by: danielbachhuber's profile danielbachhuber Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Security Keywords: dev-feedback has-patch
Focuses: Cc:

Description

According to MDN, X-Frame-Options is deprecated: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

frame-ancestors should be used instead.

Previously #12293

Attachments (1)

29429.diff (450 bytes) - added by killerbishop 5 years ago.
Patch for 29429 - adds CSP frame-ancestors self policy

Download all attachments as: .zip

Change History (7)

#1 @nacin
10 years ago

  • Milestone changed from Awaiting Review to Future Release
  • Type changed from defect (bug) to enhancement

We'd need to do at a minimum both to support older browsers.

#2 @nacin
10 years ago

  • Component changed from Administration to Security

#3 @chriscct7
8 years ago

  • Keywords needs-patch added

#5 @iandunn
5 years ago

  • Status changed from new to reopened

Re-opening because this still seems relevant.

#6 @SergeyBiryukov
5 years ago

  • Milestone set to Future Release

@killerbishop
5 years ago

Patch for 29429 - adds CSP frame-ancestors self policy

#7 @killerbishop
5 years ago

  • Keywords has-patch added; needs-patch removed

I looked for any other use of X-Frame-Options - but it only appears in two spots. The customize manager class already provides both headers. This is a change to the send_frame_options_header(). Testing in the WP admin shows both headers being issued, no change to behavior from what I can tell using the latest Chrome. The original header is being kept for continued security benefit in older browsers.

Here is my repo's pull request if needed:

https://github.com/killerbishop/wordpress-develop/pull/2

Note: See TracTickets for help on using tickets.