If Content-Security-Policy: frame-ancestors 'self' is added to a website (and the other relevant Security Headers are also in place), the result is an A+ grade.
Can I assume that this is not the intended behaviour? With the missing script-src and default-src directives there's no XSS protection.
If
Content-Security-Policy: frame-ancestors 'self'is added to a website (and the other relevant Security Headers are also in place), the result is an A+ grade.Can I assume that this is not the intended behaviour? With the missing
script-srcanddefault-srcdirectives there's no XSS protection.