Open HandyHat opened 1 year ago
As described on MDN (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors#sources), any wildcards used in a source for the frame-ancestors directive must be leading. However, CSP Evaluator does not flag when a non-leading wildcard is used, and instead says it is all good:
As described on MDN (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors#sources), any wildcards used in a source for the frame-ancestors directive must be leading. However, CSP Evaluator does not flag when a non-leading wildcard is used, and instead says it is all good: