The current csp policy we are testing doesn't specify a frame-src, hence it would default to default-src.
To determine, is this something we want? There are legit reasons to block frames, but perhaps that's not something to do right now.
The current csp policy we are testing doesn't specify a frame-src, hence it would default to default-src.
To determine, is this something we want? There are legit reasons to block frames, but perhaps that's not something to do right now.
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Open | None | T28508 Content Security Policy (CSP) | |||
Declined | None | T165455 Go from "E" to "A+" on Securityheaders.io | |||
Open | None | T135963 Add support for Content-Security-Policy (CSP) headers in MediaWiki | |||
Invalid | None | T209022 current CSP testing policy would block frames |
I'm confused. frame-src blocks what frames you are embedding, not where you are embedded in.