X-Frame-Options header is deprecated

[albinkc]

Environment

• Elixir version (elixir -v):
  Erlang/OTP 27 [erts-15.1.2] [source] [64-bit] [smp:10:10] [ds:10:10:10] [async-threads:1] [jit]
  Elixir 1.17.3 (compiled with Erlang/OTP 27)

• Phoenix version (mix deps): phoenix 1.7.14

• Operating system: MacOS 15.1 ARM

• Firefox 132.0.2

Actual behavior

From MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
X-Frame-Options

Deprecated: This feature is no longer recommended. Though some browsers might still support it, it may have already been removed from the relevant web standards, may be in the process of being dropped, or may only be kept for compatibility purposes. Avoid using it, and update existing code if possible; see the compatibility table at the bottom of this page to guide your decision. Be aware that this feature may cease to work at any time.

Warning: Instead of this header, use the frame-ancestors directive in a Content-Security-Policy header.

[josevalim]

We should probably starting setting a content-security-policy header. I would at least set it to frame-ancestors 'none'; base-uri 'self'; object-src 'none'; although the base-uri is debatable.

An other option is to set this as a meta tag. It gives more visibility to users instead of hidden behind a function.

[albinkc]

looks like the frame-ancestors directive is not supported in the <meta> element

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

[josevalim]

Thanks for double checking. That's one fewer question to ask then. :)