Commit dba3a27
committed
csp: drop frame-ancestors from meta — browsers ignore it when meta-delivered
Chrome/Firefox only enforce `frame-ancestors` from the response HTTP
header, not from <meta http-equiv>. Emitting it via meta produces a
console warning and no actual protection. Same constraint applies to
`sandbox` and `report-uri` — they need real HTTP headers.
Our GH Pages deploy has no way to set response headers per page, so we
get neither the directive nor a warning we can act on. Drop it. If we
ever move to a host that can set headers (Cloudflare Workers, Netlify
_headers, Val Town routing), re-add as a real HTTP header.
All other directives (default-src, script-src, style-src, img-src,
connect-src, worker-src, base-uri, form-action) stay — those ARE
honored from <meta http-equiv>.1 parent d5e91ef commit dba3a27
1 file changed
Lines changed: 8 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
220 | 220 | | |
221 | 221 | | |
222 | 222 | | |
| 223 | + | |
| 224 | + | |
| 225 | + | |
| 226 | + | |
| 227 | + | |
| 228 | + | |
| 229 | + | |
| 230 | + | |
223 | 231 | | |
224 | 232 | | |
225 | 233 | | |
| |||
229 | 237 | | |
230 | 238 | | |
231 | 239 | | |
232 | | - | |
233 | 240 | | |
234 | 241 | | |
235 | 242 | | |
| |||
0 commit comments