In different site I see different data about what mechanism protects against inserting an iframe. Tell me, is it possible that these are different levels of protection or are some of these outdated mechanisms?
- Same-origin policy prohibits opening an iframe of another domain
- At the same time, there is a Content-Security-Policy with the frame-ancestors directive
- And there is also X-Frame-Options: DENY
CodePudding user response:
No, the Same-Origin Policy, by itself, doesn't prevent you from framing a document from another origin.
X-Frame-Options and CSP's frame-ancestors directive overlap as defences against cross-origin framing. Only the former is supported in old browsers, though. However, the latter is much more flexible. Also, in case both are present in a response, frame-ancestors takes precedence over X-Frame-Options in supporting browsers.
Finally, don't forget that you can sandbox an iframe in order to further isolate the framing document from the framed document.