Skip to content

Commit dba3a27

Browse files
committed
csp: drop frame-ancestors from meta — browsers ignore it when meta-delivered
Chrome/Firefox only enforce `frame-ancestors` from the response HTTP header, not from <meta http-equiv>. Emitting it via meta produces a console warning and no actual protection. Same constraint applies to `sandbox` and `report-uri` — they need real HTTP headers. Our GH Pages deploy has no way to set response headers per page, so we get neither the directive nor a warning we can act on. Drop it. If we ever move to a host that can set headers (Cloudflare Workers, Netlify _headers, Val Town routing), re-add as a real HTTP header. All other directives (default-src, script-src, style-src, img-src, connect-src, worker-src, base-uri, form-action) stay — those ARE honored from <meta http-equiv>.
1 parent d5e91ef commit dba3a27

1 file changed

Lines changed: 8 additions & 1 deletion

File tree

scripts/walkthrough.mts

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -220,6 +220,14 @@ function buildCspMeta(html: string, commentBackend: string): string {
220220
const origin = new URL(commentBackend).origin
221221
connectSources.push(origin)
222222
}
223+
// Note: `frame-ancestors` and `sandbox` are ignored when CSP is
224+
// delivered via <meta http-equiv> (spec-level — browsers may have
225+
// already begun rendering a framed page by the time they parse
226+
// meta tags). We'd get a console warning for emitting them here,
227+
// with no actual clickjacking protection to show for it. When/if
228+
// this deploy moves to a host that can set response headers
229+
// (Cloudflare Workers, Netlify `_headers`, Val Town routing),
230+
// add `frame-ancestors 'none'` as a real HTTP header.
223231
const directives = [
224232
`default-src 'self'`,
225233
`script-src ${scriptSources.join(' ')}`,
@@ -229,7 +237,6 @@ function buildCspMeta(html: string, commentBackend: string): string {
229237
`worker-src 'self'`,
230238
`base-uri 'self'`,
231239
`form-action 'self'`,
232-
`frame-ancestors 'none'`,
233240
]
234241
const content = directives.join('; ')
235242
return `<meta http-equiv="Content-Security-Policy" content="${content}" />`

0 commit comments

Comments
 (0)