Bug #7575
closedMissing or Permissive Content-Security-Policy frame-ancestors HTTP Response Header
100%
Description
Nessus¶
Synopsis¶
The remote web server does not take steps to mitigate a class of web application vulnerabilities.
Description¶
The remote web server in some responses sets a permissive Content-Security-Policy (CSP) frame-ancestors response header or does not set one at all.
The CSP frame-ancestors header has been proposed by the W3C Web Application Security Working Group as a way to mitigate cross-site scripting and clickjacking attacks.
Links and related¶
https://www.tenable.com/plugins/nessus/50344
https://content-security-policy.com/
https://www.w3.org/TR/CSP2/
http://www.nessus.org/u?07cc2a06
http://www.nessus.org/u?55aa8f57
Related issues
Updated by Rajmund Hruška over 2 years ago
- Status changed from New to Closed
- Assignee set to Rajmund Hruška
- % Done changed from 0 to 100
We were using X-Frame-Options: DENY
which is said to be roughly equivalent. But it is also said that the frame-ancestors
directive obsoletes the X-Frame-Options
header. So I replaced the X-Frame-Options
header with frame-ancestors
directive.
Updated by Rajmund Hruška 3 months ago
- Related to Config #7786: Multiple issues with web configuration added