Currently the CSPBuilder automatically adds both frame-src and child-src when using frame-src as frame-src was originally deprecated in CSP Level 2. However, in CSP Level 3 frame-src has been un-deprecated again and frame-src is now the preferred way of defining allowed iframe sources.
So I think the correct way to handle this within the CSPBuilder is to always add both child-src and frame-src for either one, if supportOldBrowsers is enabled.
The CSP Level 3 standard defines that you should use preferably either frame-src or worker-src (they did not however deprecate child-src technically, if I got that right).
Currently the
CSPBuilder
automatically adds bothframe-src
andchild-src
when usingframe-src
asframe-src
was originally deprecated in CSP Level 2. However, in CSP Level 3frame-src
has been un-deprecated again andframe-src
is now the preferred way of defining allowed iframe sources.So I think the correct way to handle this within the
CSPBuilder
is to always add bothchild-src
andframe-src
for either one, ifsupportOldBrowsers
is enabled.The CSP Level 3 standard defines that you should use preferably either
frame-src
orworker-src
(they did not however deprecatechild-src
technically, if I got that right).