What does this mean? "Content Security Policy: Directive ‘frame-src’ has been deprecated. Please use directive ‘child-src’ instead"

Question

I always see this in my waterfox console. Is it bad? I am not a coder or dev. So this kinda of thing doesn't make sense if it isn't in layman's terms. Thanks

Answer 1

If you're not a developer, then this will mean very little to you in general. This is a relatively vague error message regarding some security policies on websites you use. If you're not having any issues with the website that gives you this error, then you don't need to worry about it.

This answer is probably a vast oversimplification.

HTTP Requests

When the browser downloads a website for display, it sends an HTTP request and gets a response in two pieces: headers and content/body. The content/body of the request is generally what the browser will use to render the website. The headers are a way for the browser to receive extra information about the request.

frame-src and child-src

frame-src and child-src are part of the Content-Security-Policy header, which tells your browser what websites are allowed to be displayed in a <frame> or <iframe> element. (These elements essentially embed one page within another.)

Examples

Example 1: YouTube or Vimeo videos that you see shared on websites that aren't youtube.com or vimeo.com are embedded using an <iframe> element. If the Content-Security-Policy header doesn't allow this, then those videos won't show up.

Example 2: facebook.com might allow only other pages from facebook.com to be embedded. If a malicious script then tried to load google.com somewhere inside the page, the browser would not allow that.

Deprecation

The frame-src directive was deprecated in Content-Security-Policy level 2 in favor of child-src (which was introduced in level2). It was then undeprecated in level 3 to replace child-src again (although child-src is still available and not deprecated.

Features are often deprecated when they are being queued for removal. That is, when you upgrade a software from version 1.0 to version 2.0, you may see deprecation notices. When you then upgrade to version 3.0, those deprecation messages may turn into fatal errors, meaning you can't run your application.

In this case, websites may use frame-src and child-src for backwards compatibility with older browsers and therefore you may see an error message about whichever one isn't supported.