10

Both options seem to control who can embed the content in an <iframe> tag, just like X-Frame-Options does. Chrome and Safari are deprecating this header (partially, allow-from for instance), so it's a matter of time that it will no longer used by Firefox and Edge as well, so only Content-Security-Policy will be available.

I've been doing some tests, and the same result (block / allow specific domain) is achieved by using either of those options, so, what's really the difference between them?

Expecting some usage examples where one is useful and the other it's not.

The Illusive Man
  • 10,487
  • 16
  • 56
  • 88
  • Are you asking about the difference between Content-Security-Policy frame-ancestors and Content-Security-Policy child-src, or between Content-Security-Policy frame-ancestors and the X-Frame-Options header? – Sjoerd Nov 30 '16 at 09:49
  • @Sjoerd the question is pretty clear don't you think? *What's the difference between frame-ancestors and child-src?* – The Illusive Man Nov 30 '16 at 09:55

1 Answers1

10

If someone else is interested, given two sites A and B, if B has an iframe of A:

B
+-------------+
|             |
|   A         |
|   +------+  |
|   |      |  |
|   |      +-------> frame-ancestors B;
|   +------+  |
|             |
+-----+-------+
      |
      |
      +------------> child-src A;
  • A's frame-ancestors must contain B
  • B's child-src must contain A

So, frame-ancestors is used when you want that a site is able to load your site in an iframe, while child-src is used when you want to allow your site to be able to load a specific site in an iframe.

Sam R.
  • 245
  • 1
  • 3
  • 10
The Illusive Man
  • 10,487
  • 16
  • 56
  • 88
  • Thanks for clarifying this difference. `frame-src` behave as `child-src`, right? – flyer88 Jun 10 '20 at 21:07
  • 1
    @flyer88 from the site: `Defines valid sources for loading frames. In CSP Level 2 frame-src was deprecated in favor of the child-src directive. CSP Level 3, has undeprecated frame-src and it will continue to defer to child-src if not present` – The Illusive Man Jun 11 '20 at 07:45