The frame-ancestors directive should not inherit from the "allow" directive in CSP as per the spec. This way sites "opt in" to blocking sites from framing them.
Created attachment 447590 [details] [diff] [review] Proposed Fix Attached is a patch including the fix and updated xpcshell tests for the new behavior. Updated the spec (wiki/Security/CSP/Specification) to reflect the changes too.
Attachment #447590 - Flags: review?
Attachment #447590 - Flags: review? → review?(dveditz)
Comment on attachment 447590 [details] [diff] [review] Proposed Fix r=dveditz, looks good.
Attachment #447590 - Flags: review?(dveditz) → review+
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.