Canmove, confirm
1,537
edits
Changes
→Directives
;allow:
* The catch-all section that defines the security policy for all types of content which are not called out in any of the other directives. Defines the default policy for un-specified content types, except for <tt>frame-ancestors</tt>, which MUST be enforced as "*" when not explicitly stated.
* User Agents MUST not load content from any source if the allow directive is not explicitly specified. This can be considered equivalent to the policy "allow 'none'".
* User Agents MUST enforce this directive for all HTTP requests not subject to one of the more specific directives.
;frame-ancestors:
* Indicates which sources are valid <b>ancestors</b> for embedding the protected resource via <tt>object</tt>, <tt>frame</tt> and <tt>iframe</tt> tags. An ancestor is any HTML document between the protected resource and the top of the window frame tree; for example, if A embeds B which embeds C, both A and B are <b>ancestors</b> of C. If A embeds both B and C, B is <i>not</i> an ancestor of C, but A still <i>is</i>.
* If this directive is not explicitly stated in the policy, it is assumed to be "*". This is different than the other source directives that inherit the value of <tt>allow</tt>.
* All web pages that are ancestors of the protected content must be indicated by the value of this directive. For example, if A embeds B which embeds C, and C defines a <tt>frame-ancestors</tt> as "B,C" then C is not rendered as a subframe.
* Answers the question: "Which sites may embed this resource?"
