w3c / webappsec-csp

WebAppSec Content Security Policy
https://w3c.github.io/webappsec-csp/
Other
209 stars 78 forks source link

definitions of ancestor-source differ between documents #535

Open kgoess opened 2 years ago

kgoess commented 2 years ago

Note the difference:

https://www.w3.org/TR/CSP2/#directive-frame-ancestors says

 ancestor-source      = scheme-source / host-source

https://w3c.github.io/webappsec-csp/#grammardef-ancestor-source-list says

ancestor-source      = scheme-source / host-source / "'self'"

The "self" is kind of an important omission on the first document.

annevk commented 2 years ago

CSP2 is no longer maintained and cannot be updated in place. Although maybe there's a possibility of adding a warning to the document about its status.