我正在从X-Frame-Options迁移到Content Security Policy以修复点击劫持漏洞。我的应用程序曾经在X-Frame-Options头中设置了SAMEORIGIN策略。在Content-Security-Policy中,相当于哪个选项?
我正在从X-Frame-Options迁移到Content Security Policy以修复点击劫持漏洞。我的应用程序曾经在X-Frame-Options头中设置了SAMEORIGIN策略。在Content-Security-Policy中,相当于哪个选项?
X-Frame-Options: SAMEORIGIN
➡ Content-Security-Policy: frame-ancestors 'self'
X-Frame-Options: DENY
➡ Content-Security-Policy: frame-ancestors 'none'
还请参见 https://w3c.github.io/webappsec-csp/#frame-ancestors-and-frame-options