Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
Add support for frame-ancestors CSP option in browser-policy #7970
This Pull Request adds support for for the frame-ancestors CSP option in the browser-policy package. Right now, there is no easy way to allow and/or restrict specific domains from framing your app. Using the X-Frame-Options header has the following problems:
As a result of the above, to allow other domains to frame your app, you have to allow all domains to frame your app.
However, there is a frame-ancestors CSP that allows you to specify which domains can frame your application. This pull request adds an API to do that.
A test has been added to verify that the frame-ancestors CSP is added correctly.
There are also some documentation changes to make note of the new policy.