Allow set X-Frame-Options directive

[jhernandis]

Is usual to use an iframe to show content from facebook stream, or twitter, for set an examples.

I think a directive of ->csp(), some like $headers->csp('frame', 'sameorigin'); $headers->csp('frame', ['sameorigin', 'http://www.facebook.com']);

Thanks for consider.

[aidantwoods]

Hey, the directive you're looking for is child-src, (and might as well duplicate the policy to frame-src too – which is being 'undeprecated' in the upcoming CSP3).

I considered making a friendly source name for it, but figured it might become amiguous with frame-ancestors. This coincidently is the CSP X-Frame-Options equivalent.

X-Frame-Options and frame-ancestors both govern which domains may frame your site – rather than what it appear you're looking to do (frame another origin).

Just as a side note – if you do want to set X-Frame-Options, SecureHeaders will auto set it to Deny via a header proposal. But as with these header proposals, you override that default by either explicitly removing it, or just setting it to the desired value yourself.

[jhernandis]

A lot of thanks. I'll set the value.

That's a great piece of software.

[aidantwoods]

@jhernandis awesome, and thanks! 😄