|
|
|
|
|
|
by floatingatoll
2527 days ago
|
|
|
Correct. You would be expected to merge it into any CSP headers used by your app, either using (in your Apache scenario) If/Else and Header modify or by modifying your application where appropriate. While XFO is simpler to overwrite on a global basis, it’s imprecise and doesn’t permit “allow certain sites to frame, deny all others” and is likely to become fully unsupported whenever any CSP policy is defined, given its deprecated status. Taking the XFO way out will only help you short-term at best. |
|
|