XFrameOptions vs CSP FrameAncestors

>> DOWNLOAD LINK 🎞️ #1 <<

>> DOWNLOAD LINK 🎞️ #2 <<

>> COPY / PASTE LINK PLEASE 🎵 MP3 <<

>> YOUR LINK HERE: ___ http://youtube.com/watch?v=OQ3uQqVCD-s

#security #CSP #clickjacking • X-Frame-Options vs CSP Frame-Ancestors • In our earlier video, we have seen what is Content Security Policy and how to use the headers to secure the websites from Cross-SiteScripting, clickjacking, and other security issues. • Video Link(CSP) - @kGE0 • THE TheX-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame, iframe, embed, or object. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites. • There are two possible directives for X-Frame-Options:X-Frame-Options: DENYX-Frame-Options: SAMEORIGINif you specify DENY - The page cannot be displayed in a frame, regardless of the site attempting to do so. even framing from the same website will fail if you specify SAMEORIGIN - The page can only be displayed in a frame on the same origin pages. Another Option is ALLOW-FROM, This is an obsolete directive that no longer works in modern browsers., the actual functionality is a page that can be displayed in a frame only on the specified origin URI • Here is the problem with X-FRAME-OPTIONS is it only supports two options either completely DENY or allow from SAMEORIGIN but you will not able to list out the origin URL that allowed to iframe the page as the ALLOW-FROM option is not supported by modern browser. Also, even on old browsers, you will not be able to combine the DENY and SAME-ORIGIN with the ALLOW-FROM header also ALLOW-FROM supports a single origin URL and cannot be a wildcard. • CSP frame-ancestors directive specifies valid parents that may embed a page using a frame, iframe, object, embed, or applet. Setting this directive to 'none' is similar to X-Frame-Options: deny setting this directive to 'self' is similar to X-Frame-Options:sameorigin Even you can specify the origin URLs allowed to iframe the page - this is the same as the deprecated ALLOW-FROM feature from-FRAME-OPTIONS, this can be combined with other directives also supports multiple origin URLs and wildcard entries. • If both X-FRAME-OPTIONS and CSP frame-ancestors are available in the response header then modern browsers ignore the X-FRAME-OPTIONS, the CSP frame-ancestors is the recommended options for modern browsers but you should enable both headers in case still the legacy browsers support is required.

#############################