Product | ILLiad |
Version | 9.1 |
Ticket | N/A |
Purpose/Scope
Resolution
HttpContentSecurityPolicyHeader
- frame-ancestors 'none';- The web page will not be displayed at all if it is in a frame. This is the default option when the key is added.
- frame-ancestors 'self';- If the web page is loaded in a frame, it will be displayed only if its frame was loaded from the same origin.
- frame-ancestors{uri};- If the web page is loaded in a frame, it will be displayed only if its form was loaded from the specified URL.
Combining Key Values
The Content-Security-Policy header values can be combined (e.g., 'none' and 'self') to add more refined restrictions. For example, if ILLiad returns a frame-ancestors directive of 'self' but the webserver administrator has the server return a directive of 'none', the most restrictive policy will take effect.
Example
If the HttpContentSecurityPolicyHeader key is set to a frame-ancestor policy of 'self' and the server admin sets a frame-ancestor policy of https://example.com, the browser will combine these directives and allow the page to be served in an iframe that originates from either the same domain (self) or from example.com.
If the Key is Left Blank
If the HttpContentSecurityPolicyHeader customization key is blank, the header will default to frame-ancestors 'none'. This prevents ILLiad from ignoring the X-Frame-Options headers set at the web server level because ILLiad will first check for the value of HttpContentSecurityPolicyHeader before checking the value of the HttpXFrameOptionsHeader.
HttpXFrameOptionsHeader
- deny- The web page will not be displayed at all if it is in a frame. This is the default option when the key is added.
- sameorigin - If the web page is loaded in a frame, it will be displayed only if its frame was loaded from the same origin.
- allow-from{uri}- If the web page is loaded in a frame, it will be displayed only if its frame was loaded from the specified URI.
Combining Key Values
Do NOT set multiple values for the X-Frame-Options header because they will invalidate each other and end up not applying an X-Frame-Options header in the browser at all; even if it's just the same X-Frame-Options specified multiple times. For example, if both ILLiad and the web server are configured to return an X-Frame-Options header specifying deny, the browser will consider the value to be an invalid option and will not actually deny a page loaded in a frame. If the HttpXFrameOptionsHeader customization key is blank or not enabled, the header will not be added at all.