diff --git a/specs/content-security-policy/csp-specification.dev.html b/specs/content-security-policy/csp-specification.dev.html index 75e7f5d4..144c8fff 100644 --- a/specs/content-security-policy/csp-specification.dev.html +++ b/specs/content-security-policy/csp-specification.dev.html @@ -1445,6 +1445,11 @@
frame-ancestors
The frame-ancestors
directive obsoletes the
+ X-Frame-Options
header. If a resource has both policies,
+ the frame-ancestors
policy SHOULD be enforced and the
+ X-Frame-Options
policy SHOULD be ignored.
When generating a violation report for a frame-ancestors
violation,
the user agent MUST NOT include the value of the embedding ancestor as a
blocked-uri
value unless it is same-origin with the protected resource,