No longer recommend `X-Frame-Options`

internetstandards / Internet.nl

Internet standards compliance test suite

https://internet.nl

178 stars 37 forks source link

No longer recommend `X-Frame-Options` #1157

Open Seirdy opened 1 year ago

Seirdy commented 1 year ago

A follow-up to #503

With a strong CSP, X-Frame-Options is obsolete. Contrary to what certain browser-compatibility-tables may suggest: browsers on the most recent versions of iOS 9 (released 2016. supported on the iPhone 4S, released in 2011) support frame-ancestors. For Chromium browsers, support has existed since 2015; for Firefox, since 2014.

At this point, even recommending X-Frame-Options seems unnecessary; it’s about as relevant as X-Permitted-Cross-Domain-Policies.

baknu commented 12 months ago

Thanks for your suggestion. We will discuss this.

For the record: in 2021 we changed the X-Frame-Options test from RECOMMENDED into OPTIONAL: https://github.com/internetstandards/Internet.nl/issues/503

stitch commented 8 months ago

Got a ticket regarding X-Frame-Options / CSP on the dashboard: https://github.com/internetstandards/Internet.nl-dashboard/issues/464

I'm closing it over there.