Open kgoess opened 2 years ago
Note the difference:
https://www.w3.org/TR/CSP2/#directive-frame-ancestors says
ancestor-source = scheme-source / host-source
https://w3c.github.io/webappsec-csp/#grammardef-ancestor-source-list says
ancestor-source = scheme-source / host-source / "'self'"
The "self" is kind of an important omission on the first document.
CSP2 is no longer maintained and cannot be updated in place. Although maybe there's a possibility of adding a warning to the document about its status.
Note the difference:
https://www.w3.org/TR/CSP2/#directive-frame-ancestors says
https://w3c.github.io/webappsec-csp/#grammardef-ancestor-source-list says
The "self" is kind of an important omission on the first document.