Update: Jan 2017:
Stop using child-src
and begin using frame-src
again.
In an effort to create even more confusion, CSP Level 3 has undeprecated frame-src
and actually re-appointed it as the preferred way to achieve this. While child-src
is still supported frame-src
is once again preferred.
Old post
frame-src
is deprecated, but it was only recently made so in CSP Level 2 and not all browsers are up to the latest version of the spec.
The best approach at the moment for maximum browser compatibility is to include both child-src
and frame-src
with identical values. Browsers that only support the original CSP specification will use frame-src
while newer ones will use child-src
.
That developer console warning is of no consequence and merely informational. I would suggest you ignore it for now, because a year from now you may very well see one saying that frame-src
is deprecated.
At this time, I ensure both are used when this is needed and intend to stop providing frame-src
in January of 2017.
CSP Level 2 support:
- Firefox - Pending
- Chrome - 40+
- Opera - 27+
- Microsoft Edge - Pending
- Safari - 10+
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…