Content-Security-Policy htaccess 阻止除一个 iframe 之外的所有 iframe

Question

我的 objective 是为了阻止我的网站在 iFrame 中被访问，defend.net 除外。我能够用这条线成功地做到这一点：

Header append X-Frame-Options: "ALLOW-FROM https://*.defend.net/"

但是，我了解到它已经贬值了。

<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-Content-Type-Options "nosniff"
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    Header add Content-Security-Policy "frame-src 'self'  'https://*.defend.net';"      
    Header set Referrer-Policy "same-origin"
</IfModule>

实现我的 objective 最有效、最安全的方法是什么？我可以安全地删除它并获得相同的保护吗？

    Header set X-Frame-Options "SAMEORIGIN"

Answer 1

这是我想出的，似乎按预期工作：

<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options "nosniff"
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    Header set Content-Security-Policy "frame-src 'self'  https://www.google.com https://www.youtube.com; frame-ancestors 'self'  https://*.defend.net;"
    Header set Referrer-Policy "same-origin"
</IfModule>

Content-Security-Policy htaccess 阻止除一个 iframe 之外的所有 iframe

Content-Security-Policy htaccess block all iframes but one

security

.htaccess

iframe