Set default frame-ancestors on default Content-Security-Policy

[rzhade3]

We should consider setting a default frame-ancestors directive for the Content Security Policy. The frame-ancestors directive is the new iteration of the X-Frame-Options header, and as such setting a directive in both spots might be prudent.

secure_headers/lib/secure_headers/headers/content_security_policy_config.rb

Line 97 in b134eef

style_src: %w('self' https: 'unsafe-inline')

Since our default XFO policy is sameorigin, if we decide to take upon this task, we should set the default frame-ancestors value to be self.

Some counterpoints: setting both the X-Frame-Options and the frame-ancestors directive will cause the XFO header to be overriden by the frame-ancestors directive. This means that if a user is trying to change some framing functionality, and only changes the XFO header, they might be confused as to why the functionality didn't actually change.

[misfir3]

This means that if a user is trying to change some framing functionality, and only changes the XFO header, they might be confused as to why the functionality didn't actually change.

The override approach/mechanism wouldn't change, right? Just that they need to override both, correct?

Also, FWIW, I am for the :whynotboth: approach and the lack of a frame-ancestors default bothered me slightly.