UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36

Steps to reproduce the problem:
By default CSP allows anything.
By default frame-options allow anything.

What is the expected behavior?
Security by default.
For CSP this should be: 'self'.
For x-frame-options this should be: SAMEORIGIN

What went wrong?
Changing CSP and x-frame-options default behavior will break many sites. There is no UI for toggling the behavior available.

Did this work before? N/A 

Chrome version: 63.0.3239.84  Channel: stable
OS Version: 10.0
Flash Version: 

A Security UI toggle to enable "Security by default" would allow a "regular" user or admin to set the browser into a stricter more secure default mode. Other security features could also be added under such a toggle.

Web developers would have to change the way they do things though. Instead of adding CSP to make pages more secure they would also need to add CSP rules to lessen the security for pages that would break.

Maybe one day in the future such a UI toggle would no longer be needed as security by default would be the new normal.

Also apologies for the category of this issue, I felt that a security expert might be better able to judge the merit of such a feature request than if I had put this under the UI category.

I guess there is some overlap between "Blink>SecurityFeature>ContentSecurityPolicy" and "UI>Settings" and "Blink>SecurityFeature>SameOriginPolicy" here, unless there is a "UI>Settings>Security" ?