Sjord
commented
8 years ago frame-ancestors is defined in CSP version 2, and that is not supported in Internet Explorer or Edge.
Open mauritsvanrees opened 8 years ago
Sjord
commented
8 years ago frame-ancestors is defined in CSP version 2, and that is not supported in Internet Explorer or Edge.
jsobolewskihh
commented
7 years ago CSP2 is now supported since edge15
https://blogs.windows.com/msedgedev/2017/01/10/edge-csp-2/ http://caniuse.com/#search=csp
In plone.protect 3 we add header
X-Frame-Options = SAME-ORIGIN. That works well as far as I see. But sometimes you want to allow loading your webpages as iframes in another site, which you do withALLOW-FROM. But this can only contain one domain, which cannot be a wild card, and you can not use it in combination withSAME-ORIGIN. Also it is up to the browser to support it, and for example Chrome and Safari do not supportALLOW-FROM: http://erlend.oftedal.no/blog/tools/xframeoptions/Result is, that if you set
ALLOW-FROM, the TinyMCE popups do not work anymore: they use iframes, and you have implicitly chosen to not allow it from the same origin anymore... Workaround: set thePLONE_X_FRAME_OPTIONSenvironment variable to an empty string, and then all popups work again because you have switched of the click jack protection. BTW, this is in Plone 4.3 with the latest plone.protect (3.0.17), though I expect the same in Plone 5. The TinyMCE integration is different there, but I still expect that this works with iframes.I guess we could edit several TinyMCE views and have them explicitly emit the SAME-ORIGIN option.
Summary so far:
X-Frame-Optionsdoes not work so nice when you actually want to allow iframes from another site you control.And
X-Frame-Optionsis deprecated. See http://stackoverflow.com/questions/10205192/x-frame-options-allow-from-multiple-domains The new kid on the block is theframe-ancestorsfrom Content Security Policy: https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives#frame-ancestors Can I use it? http://caniuse.com/#feat=contentsecuritypolicy Mostly: yes, but not in IE9 and lower, and in IE10/11 you must setX-Content-Security-Policyinstead ofContent-Security-Policy, although it might be that this is only true for the 'sandbox' policy.Note: I have not tried it out.
More reading: http://www.html5rocks.com/en/tutorials/security/content-security-policy/ Also note its remarks about inline scripts and inline css that are by default not allowed by CSP.