“X-Frame-Options”
-
Hi – File Security > Frames > «Enable this to stop other sites from displaying your content in a frame or iframe.»
X-Frame-Optionsare a part of content-security-header (frame-ancestors). And your plugin is not really adding theX-Frame-OptionsHeader but rather aContent-Security-Policy-Header.This is a bit confusing and in my case enabling this option overrides my own csp-rules sent with wordpress
send_headersfunction. I disabled the option for my own csp takes care of that. It would be helpful, if this option was described more clearly.regards theo
-
Hello @hjogiupdraftplus – thanks for the message. I cannot confirm that WP 6.4+ automatically sends a CSP policy. That would be very arbitrary, for how could WP possibly know the specific conditions to consider for a good CSP. I send my custom CSP with
add_action('send_headers', 'add_csp_header',10,1);regards theoHi @hjogiupdraftplus – thanks. Emphasizing
!headers_sent()! I hope no one stumbles over that. Quite a crude approach to CSP. regards theo
You must be logged in to reply to this topic.
