diff --git a/src/canister_tests/src/framework.rs b/src/canister_tests/src/framework.rs
index 4c27ce78d5..0b7aeeb753 100644
--- a/src/canister_tests/src/framework.rs
+++ b/src/canister_tests/src/framework.rs
@@ -424,8 +424,8 @@ form-action 'none';\
style-src 'self' 'unsafe-inline';\
style-src-elem 'self' 'unsafe-inline';\
font-src 'self';\
-upgrade-insecure-requests;\
-frame-ancestors 'none';$"
+frame-ancestors 'none';\
+upgrade-insecure-requests;$"
)
.unwrap()
.is_match(csp));
diff --git a/src/frontend/index.html b/src/frontend/index.html
index be56351113..d085effd0b 100644
--- a/src/frontend/index.html
+++ b/src/frontend/index.html
@@ -4,8 +4,6 @@
-
-
Internet Identity
diff --git a/src/internet_identity/src/assets.rs b/src/internet_identity/src/assets.rs
index 9bab14c3c8..7ca4885079 100644
--- a/src/internet_identity/src/assets.rs
+++ b/src/internet_identity/src/assets.rs
@@ -5,7 +5,7 @@
use crate::hash::{hash_of_map, Value};
use crate::http::{security_headers, IC_CERTIFICATE_EXPRESSION_HEADER};
use crate::nested_tree::NestedTree;
-use crate::{http, state};
+use crate::state;
use base64::engine::general_purpose::STANDARD as BASE64;
use base64::Engine;
use ic_cdk::api;
@@ -97,21 +97,13 @@ pub enum ContentType {
// The "#,
&format!(r#""#),
- );
-
- html.replace(
- "",
- &format!(
- r#""#,
- &http::content_security_policy_meta()
- ),
)
}
diff --git a/src/internet_identity/src/http.rs b/src/internet_identity/src/http.rs
index 2fdef4e186..80689fd43c 100644
--- a/src/internet_identity/src/http.rs
+++ b/src/internet_identity/src/http.rs
@@ -179,15 +179,6 @@ pub fn security_headers() -> Vec {
/// Full content security policy delivered via HTTP response header.
///
-/// This policy also includes the `frame-ancestors` directive in addition to the policies included in the HTML `meta` tag.
-/// We deliver the CSP by header _and_ meta tag because the headers are not yet certified.
-fn content_security_policy_header() -> String {
- let meta_policy = content_security_policy_meta();
- format!("{meta_policy}frame-ancestors 'none';")
-}
-
-/// Stripped down content security policy for the HTML `meta` tag, where not all directives are supported.
-///
/// The sha256 hash matches the inline script in index.html. This inline script is a workaround
/// for Firefox not supporting SRI (recommended here https://csp.withgoogle.com/docs/faq.html#static-content).
/// This also prevents use of trusted-types. See https://bugzilla.mozilla.org/show_bug.cgi?id=1409200.
@@ -218,7 +209,7 @@ fn content_security_policy_header() -> String {
///
/// upgrade-insecure-requests is omitted when building in dev mode to allow loading II on localhost
/// with Safari.
-pub fn content_security_policy_meta() -> String {
+pub fn content_security_policy_header() -> String {
let hash = assets::JS_SETUP_SCRIPT_SRI_HASH.to_string();
let csp = format!(
"default-src 'none';\
@@ -229,7 +220,8 @@ pub fn content_security_policy_meta() -> String {
form-action 'none';\
style-src 'self' 'unsafe-inline';\
style-src-elem 'self' 'unsafe-inline';\
- font-src 'self';"
+ font-src 'self';\
+ frame-ancestors 'none';"
);
#[cfg(not(feature = "insecure_requests"))]
let csp = format!("{csp}upgrade-insecure-requests;");