Currently the CSPBuilder automatically adds both frame-src and child-src when using frame-src as frame-src was originally deprecated in CSP Level 2. However, in CSP Level 3 frame-src has been un-deprecated again and frame-src is now the preferred way of defining allowed iframe sources.
So I think the correct way to handle this within the CSPBuilder is to always add both child-src and frame-src for either one, if supportOldBrowsers is enabled.
The CSP Level 3 standard defines that you should use preferably either frame-src or worker-src (they did not however deprecate child-src technically, if I got that right).
Currently the
CSPBuilderautomatically adds bothframe-srcandchild-srcwhen usingframe-srcasframe-srcwas originally deprecated in CSP Level 2. However, in CSP Level 3frame-srchas been un-deprecated again andframe-srcis now the preferred way of defining allowed iframe sources.So I think the correct way to handle this within the
CSPBuilderis to always add bothchild-srcandframe-srcfor either one, ifsupportOldBrowsersis enabled.The CSP Level 3 standard defines that you should use preferably either
frame-srcorworker-src(they did not however deprecatechild-srctechnically, if I got that right).