Skip to content

Add CSP frame-ancestors: 'none'#1080

Closed
pgporada wants to merge 4 commits intomainfrom
csp-frame-ancestors
Closed

Add CSP frame-ancestors: 'none'#1080
pgporada wants to merge 4 commits intomainfrom
csp-frame-ancestors

Conversation

@pgporada
Copy link
Member

@pgporada pgporada commented Jul 10, 2020

"Setting this directive to 'none' is similar to X-Frame-Options: deny (which is also supported in older browsers)."

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

@pgporada
Add CSP frame-ancestors: 'none'
458ec59 
"Setting this directive to 'none' is similar to X-Frame-Options: deny (which is also supported in older browsers)."
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
tdelmas
tdelmas suggested changes Dec 21, 2020
View reviewed changes
Copy link
Contributor

@tdelmas tdelmas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add the same change in config/_default/server.toml?

bdaehlie
bdaehlie reviewed Sep 28, 2023
View reviewed changes
@bdaehlie bdaehlie requested a review from tdelmas September 28, 2023 14:32
@bdaehlie bdaehlie requested a review from scottmakestech July 31, 2025 13:16
@bdaehlie
Copy link
Contributor

bdaehlie commented Jul 31, 2025

@scottmakestech Can you review this? Is it still a desirable and non-breaking thing to do?

@scottmakestech scottmakestech self-assigned this Oct 21, 2025
scottmakestech added a commit that referenced this pull request Feb 13, 2026
@scottmakestech
Sets frame-ancestors property to none to prevent nesting this site in…
33f18c1 
… an iframe. Fixes #1080.
@scottmakestech scottmakestech mentioned this pull request Feb 13, 2026
Merged
scottmakestech added a commit to abetterinternet/website that referenced this pull request Feb 13, 2026
@scottmakestech
Prevent nesting site in iFrame
addf1a3 
Sets frame-ancestors property to none to prevent nesting this site in an iframe. Although we already set X-Frame-Options to deny, this is the modern CSP method for declaring this setting. Sees letsencrypt/website#1080 and letsencrypt/website#2148.
scottmakestech added a commit to divviup/website that referenced this pull request Feb 13, 2026
@scottmakestech
Prevent nesting site in iFrame
bcf3068 
Adds X-Frame-Options and CSP frame-ancestors headers to prevent this site from being embedded in an iframe on other domains. X-Frame-Options is the legacy header; frame-ancestors is the modern CSP equivalent. Both are set for maximum browser compatibility. See letsencrypt/website#1080 and letsencrypt/website#2148.
This was referenced Feb 13, 2026
Merged
Merged
scottmakestech added a commit to memorysafety/website that referenced this pull request Feb 13, 2026
@scottmakestech
Prevent nesting site in iFrame
31e0172 
Adds X-Frame-Options and CSP frame-ancestors headers to prevent this site from being embedded in an iframe on other domains. X-Frame-Options is the legacy header; frame-ancestors is the modern CSP equivalent. Both are set for maximum browser compatibility. See letsencrypt/website#1080 and letsencrypt/website#2148.
@scottmakestech scottmakestech mentioned this pull request Feb 13, 2026
Merged
scottmakestech added a commit to abetterinternet/website that referenced this pull request Feb 13, 2026
@scottmakestech
Prevent nesting site in iFrame (#252)
649a639 
Sets frame-ancestors property to none to prevent nesting this site in an iframe. Although we already set X-Frame-Options to deny, this is the modern CSP method for declaring this setting. Sees letsencrypt/website#1080 and letsencrypt/website#2148.
scottmakestech added a commit to divviup/website that referenced this pull request Feb 13, 2026
@scottmakestech
Prevent nesting site in iFrame (#47)
fe87dd8 
Adds X-Frame-Options and CSP frame-ancestors headers to prevent this site from being embedded in an iframe on other domains. X-Frame-Options is the legacy header; frame-ancestors is the modern CSP equivalent. Both are set for maximum browser compatibility. See letsencrypt/website#1080 and letsencrypt/website#2148.
scottmakestech added a commit to memorysafety/website that referenced this pull request Feb 13, 2026
@scottmakestech
Prevent nesting site in iFrame (#136)
994df3d 
Adds X-Frame-Options and CSP frame-ancestors headers to prevent this site from being embedded in an iframe on other domains. X-Frame-Options is the legacy header; frame-ancestors is the modern CSP equivalent. Both are set for maximum browser compatibility. See letsencrypt/website#1080 and letsencrypt/website#2148.
pull bot pushed a commit to johnperez416/website that referenced this pull request Feb 14, 2026
@scottmakestech
Prevent nesting site in iFrame (letsencrypt#2148)
d6d78f6 
Sets frame-ancestors property to none to prevent nesting this site in an
iframe. Although we already set X-Frame-Options to deny, this is the
modern CSP method for declaring this setting. Fixes letsencrypt#1080.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bdaehlie bdaehlie bdaehlie left review comments

@scottmakestech scottmakestech Awaiting requested review from scottmakestech

+1 more reviewer

@tdelmas tdelmas tdelmas approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@scottmakestech scottmakestech

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pgporada @bdaehlie @tdelmas @scottmakestech