Skip to content

Eliminate X-Frame-Options setting#3094

Merged
labkey-adam merged 1 commit into
release26.7-SNAPSHOTfrom
26.7_fb_x_frame_options
Jul 9, 2026
Merged

Eliminate X-Frame-Options setting#3094
labkey-adam merged 1 commit into
release26.7-SNAPSHOTfrom
26.7_fb_x_frame_options

Conversation

@labkey-adam

Copy link
Copy Markdown
Contributor

Rationale

This X-Frame-Options setting has been removed. So has the CSRF setting (long ago).

Related Pull Requests

@labkey-adam labkey-adam merged commit c4fb833 into release26.7-SNAPSHOT Jul 9, 2026
8 of 9 checks passed
@labkey-adam labkey-adam deleted the 26.7_fb_x_frame_options branch July 9, 2026 15:51
labkey-adam added a commit to LabKey/platform that referenced this pull request Jul 9, 2026
## Rationale
The `frame-ancestors` directive of our standard CSP is the modern way to
control what other sites can "frame" a LabKey deployment (none, by
default). The `X-Frame-Options` header is effectively obsolete, ignored
by any browser that supports `frame-ancestors`. [All major browsers have
supported `frame-ancestors` for 10
years](https://caniuse.com/?search=frame-ancestors+) and hence ignore
`X-Frame-Options`.

## Related Pull Requests
- LabKey/testAutomation#3094
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants