Conversation
github-actions
Bot
added
Content:HTTP
|
Preview URLs (1 page) (comment last updated: 2026-01-30 05:23:49) |
|
This looks good to me. Thanks! |
github-actions
Bot
added
size/s
|
|
||
| - `DENY` | ||
| - : The page cannot be displayed in a frame, regardless of the site attempting to do so. Not only will the browser attempt to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. | ||
| - : The document cannot be loaded in any frame, regardless of origin (both same- and cross-origin embedding is blocked). |
There was a problem hiding this comment.
Additional text was redundant.
| - : The document cannot be loaded in any frame, regardless of origin (both same- and cross-origin embedding is blocked). | ||
| - `SAMEORIGIN` | ||
| - : The page can only be displayed if all ancestor frames have the same {{glossary("origin")}} as the page itself. You can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page. | ||
| - : The document can only be embedded if all ancestor frames have the same {{glossary("origin")}} as the page itself. |
There was a problem hiding this comment.
Additional text was inconsistent with the first statement - you can only embed content if all ancestors are sameorigin, not just the parent.
hamishwillee
left a comment
hamishwillee
left a comment
There was a problem hiding this comment.
@wbamberg I would probably have argued that it is obvious that not having the header would allow embedding - otherwise why would you have it. Does no harm though and definitely not worth mentioning the "if supported" thing.
I made a minor modification to the directives since they were horrible. I've approved this so you can merge if you don't hate those changes.
Yeah, I don't think it hurts to indicate what happens without it. Your other edits look great to me too, I didn't even check that. |
* Fix issue 42871 * Update files/en-us/web/http/reference/headers/x-frame-options/index.md * mention xs-leaks * Directives - remove confusing redundancy --------- Co-authored-by: Hamish Willee <[email protected]>
4 participants
Fixes #42871.
@doerwalter, does this address the issue for you?
I took out the bit about "it only works if the browser supports it" because surely that's obvious.