This rule is deprecated, and will eventually be removed.
Disabling the Content Security Policy frame-ancestors directive leaves the application vulnerable to clickjacking attacks.
The frame-ancestors directive in Content Security Policy (CSP) controls which origins are allowed to embed the page in frames.
When this directive is missing or set to 'none', the application does not properly restrict framing, making it susceptible to
clickjacking.
This rule raises an issue when the CSP frame-ancestors directive is not configured or is explicitly disabled.
An attacker can embed the vulnerable application inside a hidden iframe on a malicious website. Users who visit the attacker’s page may unknowingly click on critical actions in the embedded application, such as changing account settings or submitting sensitive forms. This can lead to unauthorized actions being performed on behalf of the victim without their knowledge or consent.
The frame-ancestors directive should be set to a list of trusted origins that are allowed to embed the application in a frame.
const express = require('express');
const helmet = require('helmet');
let app = express();
app.use(
helmet.contentSecurityPolicy({
directives: {
// other directives
frameAncestors: ["'none'"] // Noncompliant: frameAncestors is set to none
}
})
);
const express = require('express');
const helmet = require('helmet');
let app = express();
app.use(
helmet.contentSecurityPolicy({
directives: {
// other directives
frameAncestors: ["'example.com'"]
}
})
);