Internet.nl icon indicating copy to clipboard operation
Internet.nl copied to clipboard

Published 20 hours ago verified publisher icon internetstandards

No longer recommend `X-Frame-Options`

Open Seirdy opened this issue 1 year ago • 2 comments

A follow-up to #503

With a strong CSP, X-Frame-Options is obsolete. Contrary to what certain browser-compatibility-tables may suggest: browsers on the most recent versions of iOS 9 (released 2016. supported on the iPhone 4S, released in 2011) support frame-ancestors. For Chromium browsers, support has existed since 2015; for Firefox, since 2014.

At this point, even recommending X-Frame-Options seems unnecessary; it’s about as relevant as X-Permitted-Cross-Domain-Policies.

Seirdy avatar Nov 10 '23 19:11 Seirdy

Thanks for your suggestion. We will discuss this.

For the record: in 2021 we changed the X-Frame-Options test from RECOMMENDED into OPTIONAL: https://github.com/internetstandards/Internet.nl/issues/503

baknu avatar Nov 14 '23 16:11 baknu

Got a ticket regarding X-Frame-Options / CSP on the dashboard: https://github.com/internetstandards/Internet.nl-dashboard/issues/464

I'm closing it over there.

stitch avatar Mar 11 '24 14:03 stitch