Allow iframing any other sites

[wwwillchen]

Closes #628.

frame-src (i.e. iframing other sites) is fairly low-risk and we may as well allow iframing any site. This is different than frame-ancestors which is much more security sensitive and has a strict allowlist.

Background: https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html#preventing-framing-attacks-clickjacking-cross-site-leaks

[richard-to]

Does iframing an http site from say an https pose an concerns? In this case, it's definitely the developer's choice. But I did kind of like the current setting that prevented the https -> http iframing case as a kind of safe guard for people who were not thinking about that.

[wwwillchen]

Does iframing an http site from say an https pose an concerns? In this case, it's definitely the developer's choice. But I did kind of like the current setting that prevented the https -> http iframing case as a kind of safe guard for people who were not thinking about that.

I don't think so. Even if you had a weird situation where the parent frame was https://foo.com and it iframed http://foo.com (this would be pretty unusual because usually if a site supports https, then the http would redirect to https), there's not really an additional risk because they would be considered separation origins (which is basically subdomain + protocol).