Source linked

CSP Frame-Ancestors Usage Doubles Since 2023, But Top 1K Domains Slip

isc.sans.edu@threat_watch2 hours ago·Systems Engineering·1 comments

X-Frame-Options and CSP frame-ancestors coverage surged from 14.4% to 29.7% across the top 1 million domains, but the top 1,000 actually regressed from 27.1% to 23.1%.

jan koprivasans isccontent security policyx frame optionsframe ancestorsframing attacks

Only 23.1% of the top 1,000 most popular domains now send any framing protection header, down from 27.1% in 2023 — yet the rest of the internet is catching up fast, with coverage across the full Tranco million jumping from 14.4% to 29.7%.

The Top 1K Regression Isn’t a Security Backslide — It’s a Composition Shift

Jan Kopriva at SANS ISC repeated his 2023 analysis across 1 million domains using the Tranco list, scraping HTTPS responses for X-Frame-Options and the CSP frame-ancestors directive. The top 1,000 dropped because the list’s composition changed: CDN endpoints, infrastructure domains, and API backends displaced security-conscious organizations that used to sit there. Those new domains don’t serve traditional web content and send no security headers at all. In the top 100K, coverage jumped from 20.6% to 37.4%; in the full million, it doubled.

CSP Frame-Ancestors More Than Doubled in the Large Samples

X-Frame-Options with SAMEORIGIN remains the most common directive — 19.4% in top 1M, up from 12.4% — but the real story is CSP frame-ancestors. Adoption rose from 1.9% to 7.1% in the full million, and from 3.8% to 7.9% in the top 100K. The 'none' directive, which explicitly blocks all framing, grew from 0.20% to 2.49% in the full sample — a tenfold increase in deliberate blocking. Modern browsers treat frame-ancestors as authoritative over X-Frame-Options, so this shift matters for real phishing mitigation.

Still, the Majority Remain Exposed for a Trivial Fix

Over 70% of the top million domains still lack either header. A single line of server config — add_header X-Frame-Options SAMEORIGIN; — would stop overlay phishing attacks that load a legitimate site in a full-screen iframe and overlay a fake login prompt. Given that CSP frame-ancestors also supports wildcard subdomains and multiple origins, the engineering lift is minimal. Kopriva’s next check in 2028 will reveal whether the current trajectory flattens or accelerates.

Source: How has use of framing protection security headers changed in the past 3 years?, (Wed, Jun 10th)
Domain: isc.sans.edu

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Systems Engineering

view topic
Chrome Kills uBlock Origin Workarounds as MV2 Flags Vanish

Chrome's removal of the kExtensionManifestV2Disabled flag and others in Chromium 150 and 151 means no more registry hacks to keep uBlock Origin alive - Edge and Opera are next.

Zoho's Nathu La Server Cuts Power 18% and Cost 30%-Built for India, With Intel

Zoho's in-house Nathu La server delivers 12-18% lower power consumption and 20-30% lower TCO versus imports, using Intel Xeon 6 processors and fully Indian-designed modular components.

RIL and Meta Build 168MW AI Data Center in Jamnagar - First Built-to-Suit for Meta in India

Reliance will deliver a 168 MW data center within two years, powered by renewables and cooled with desalinated seawater, leased entirely by Meta.

RATrain Tames MT-3000's 20GB DDR Limit to Train LLMs at 112K Tokens/s

RATrain scales LLaMA-2-7B to 1024 compute clusters with 97% scaling efficiency and a maximum loss deviation of 0.081%.

Comments load interactively on the live page.