My website is
www.foobarexample.com with header
content-security-policy: frame-ancestors ‘self’;
I have a sharable URL
http://www.foobarexample.com/#/sharedurl/xyz?somedynamickey that must be accessed by any domain in iframe.
How can I do so?
I understand that CSP can be beneficial against multiple attack methods (e.g. clickjacking, XSS), but since it is specifically XSS – why is it a solution?
My reason for asking this question comes from a question I was asked recently. "If input cleanup / output encoding always works, why is XSS still a thing?"
My first thoughts were: Because it's not always that easy. XSS can exist in multiple contexts, in various forms, etc., and CSP (if done correctly) can be an easy way to prevent this. I have always viewed it primarily as a deep defense measure that should never be used as the only mechanism against XSS.
Are there cases where cleaning up the input / coding the output against XSS is not sufficient?