| Details | |
|---|---|
| Alert ID | 10055-11 |
| Alert Type | Passive |
| Status | release |
| Risk | Medium |
| CWE | 693 |
| WASC | 15 |
| Technologies Targeted | All |
| Tags |
CWE-693 OWASP_2017_A06 OWASP_2021_A05 |
| More Info |
Scan Rule Help |
Summary
The policy specified via meta element contains either or both the sandbox or frame-ancestors directive, which are not permitted inside meta CSP definitions.
Solution
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.Other Info
References
- https://www.w3.org/TR/CSP/
- https://caniuse.com/#search=content+security+policy
- https://content-security-policy.com/
- https://github.com/HtmlUnit/htmlunit-csp
- https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources