Quoting from here,
If a resource is delivered with a policy that includes a directive named frame-ancestors and whose disposition is "enforce", then the
X-Frame-Options
header will be ignored, per HTML’s processing model.
I don't understand the part that mentions 'disposition is "enforce"'. Can't find examples. Could someone shed some light on this?
CodePudding user response:
According to https://w3c.github.io/webappsec-csp/#policy-disposition: 'Each policy has an associated disposition, which is either "enforce" or "report".' This corresponds to Content-Security-Policy and Content-Security-Policy-Report-Only, respectively. If you are using the "Report-Only" version of CSP, X-Frame-Options will not be ignored as you are not enforcing the overriding policy.