Security: Set the frame-ancestors directive in send_frame_options_header().

SergeyBiryukov · SergeyBiryukov · commit 1ffab3205eee · 2025-08-23T14:06:57.000Z
The `X-Frame-Options` HTTP response header is a way of controlling whether and how a document may be loaded inside of a child navigable. For sites using `Content-Security-Policy`, the `frame-ancestors` directive provides more granular control over the same situations. Includes adding a `headers_sent()` check before sending the headers. References: * [https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options MDN Web Docs: X-Frame-Options header] * [https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/frame-ancestors MDN Web Docs: Content-Security-Policy: frame-ancestors directive] Follow-up to [17826]. Props danielbachhuber, killerbishop, callumbw95, josephscott, nacin, chriscct7, iandunn, SergeyBiryukov. Fixes #29429. git-svn-id: https://develop.svn.wordpress.org/trunk@60657 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php
@@ -7139,10 +7139,14 @@ function wp_find_hierarchy_loop_tortoise_hare( $callback, $start, $override = ar
  *
  * @since 3.1.3
  *
- * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/frame-ancestors
  */
 function send_frame_options_header() {
-	header( 'X-Frame-Options: SAMEORIGIN' );
+	if ( ! headers_sent() ) {
+		header( 'X-Frame-Options: SAMEORIGIN' );
+		header( "Content-Security-Policy: frame-ancestors 'self';" );
+	}
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -7139,10 +7139,14 @@ function wp_find_hierarchy_loop_tortoise_hare( $callback, $start, $override = ar`
`7139`	`7139`	`*`
`7140`	`7140`	`* @since 3.1.3`
`7141`	`7141`	`*`
`7142`		`- * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options`
	`7142`	`+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options`
	`7143`	`+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/frame-ancestors`
`7143`	`7144`	`*/`
`7144`	`7145`	`function send_frame_options_header() {`
`7145`		`- header( 'X-Frame-Options: SAMEORIGIN' );`
	`7146`	`+ if ( ! headers_sent() ) {`
	`7147`	`+ header( 'X-Frame-Options: SAMEORIGIN' );`
	`7148`	`+ header( "Content-Security-Policy: frame-ancestors 'self';" );`
	`7149`	`+ }`
`7146`	`7150`	`}`
`7147`	`7151`
`7148`	`7152`	`/**`