http security content-security-policy x-frame-options websecurity

What is disposition: enforce in CSP frame-ancestors?

Quoting from here,

If a resource is delivered with a policy that includes a directive named frame-ancestors and whose disposition is "enforce", then the X-Frame-Options header will be ignored, per HTML’s processing model.

I don't understand the part that mentions 'disposition is "enforce"'. Can't find examples. Could someone shed some light on this?

Solution

According to https://w3c.github.io/webappsec-csp/#policy-disposition: 'Each policy has an associated disposition, which is either "enforce" or "report".' This corresponds to Content-Security-Policy and Content-Security-Policy-Report-Only, respectively. If you are using the "Report-Only" version of CSP, X-Frame-Options will not be ignored as you are not enforcing the overriding policy.

Connect from ios device to localhost
How to consume from an eventsource API requiring auth headers?
What should HTTP 201 response body be when responding to a POST request with large data?
Java client + Apache HTTP server + GZIP Compression/Decompression
How to avoid a page being added to browser history when redirecting using a meta http-equiv tag?
Best way to perform a GET request without any other libraries
How can I respond to a POST request containing JSON data with Rocket?
Can't figure out how to send a signed POST request to OKEx
How to share reqwest clients in Actix-web server?
How to solve flutter web api cors error only with dart code?
Download and get HTML code from a website
401 unAuthorized response when making get request in flutter with Dio or http packages
How to define the basic HTTP authentication using cURL correctly?
JAVA email tracking pixel keep track of reading time
Does Java have a complete enum for HTTP response codes?
After Get success, why does first Angular 9 Put request succeed on MVC Core 2.2 API Controller, but fails on next PUT with http err 302 and/or 503?
git: retry if http request failed
Android 8: Cleartext HTTP traffic not permitted
Open Android app from URL using intent-filter not working
Go file server doesn't serve folder
Why is it okay to transmit authentication/session cookies over plaintext?
Django Rest Framework: HTTP 401 Unauthorized error
HTTP test server accepting GET/POST requests
GET request times for apartments.com, but website is not down
Using Git on Windows, behind an HTTP proxy, without storing proxy password on disk
When browser sets the "referrer" in HTTP Request header?
How to configure Spring Security to allow GET method for everyone and restrict other methods to specific roles without much boilerplate?
How to set status code 404 instead of 200 for 404-page in Next.js
Delete cookie on page refresh
Accessing the web page's HTTP Headers in JavaScript