Changeset 60657

Timestamp:

08/23/2025 02:06:57 PM (4 months ago)

Author:

SergeyBiryukov

Message:

Security: Set the frame-ancestors directive in send_frame_options_header().

The X-Frame-Options HTTP response header is a way of controlling whether and how a document may be loaded inside of a child navigable. For sites using Content-Security-Policy, the frame-ancestors directive provides more granular control over the same situations.

Includes adding a headers_sent() check before sending the headers.

References:

• ​MDN Web Docs: X-Frame-Options header
• ​MDN Web Docs: Content-Security-Policy: frame-ancestors directive

Follow-up to [17826].

Props danielbachhuber, killerbishop, callumbw95, josephscott, nacin, chriscct7, iandunn, SergeyBiryukov.
Fixes #29429.

File:

• trunk/src/wp-includes/functions.php (modified) (1 diff)

trunk/src/wp-includes/functions.php

@@ -7140 +7140 @@
  * @since 3.1.3
  *
- * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/frame-ancestors
  */
 function send_frame_options_header() {
-    header( 'X-Frame-Options: SAMEORIGIN' );
+    if ( ! headers_sent() ) {
+        header( 'X-Frame-Options: SAMEORIGIN' );
+        header( "Content-Security-Policy: frame-ancestors 'self';" );
+    }
 }