Reputation: 373
Cross Domain policy allow Youtube
I ONLY want scripts from my site, youtube and addthis to be loaded, nothing else is allowed. This is my crossdomain.xml
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="my website url"/>
<allow-access-from domain="www.youtube.com"/>
<allow-access-from domain="ct1.addthis.com"/>
</cross-domain-policy>
Can anybody tell me where I've gone wrong or how to verify that my site is using the crossdomain.xml file please?
Kind Regards, Harry
edit:
<IfModule mod_headers.c>
Header set X-Content-Security-Policy: "allow 'self'; options inline-script; img-src 'self' data:"
<FilesMatch "\.(appcache|crx|css|eot|gif|htc|ico|jpe?g|js|m4a|m4v|manifest|mp4|oex|oga|ogg|ogv|otf|pdf|png|safariextz|svgz?|ttf|vcf|webapp|webm|webp|woff|xml|xpi)$">
Header unset Content-Security-Policy
</FilesMatch>
</IfModule>
Where do I add https://www.youtube.com to this to allow my embedded videos to play? Here's the stack trace although I doubt it's very helpful.
Error in event handler for (unknown): Blocked a frame with origin "https://www.youtube.com" from accessing a cross-origin frame.
Stack trace: Error: Blocked a frame with origin "https://www.youtube.com" from accessing a cross-origin frame.
at Error (native)
at setupffoverrides (chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/onloadwff.js:151:86)
at checkgenpwfillforms (chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/onloadwff.js:152:33)
at receiveBG (chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/onloadwff.js:130:210)
at Function.target.(anonymous function) (extensions::SafeBuiltins:19:14)
at EventImpl.dispatchToListener (extensions::event_bindings:395:22)
at Function.target.(anonymous function) (extensions::SafeBuiltins:19:14)
at Event.publicClass.(anonymous function) [as dispatchToListener] (extensions::utils:65:26)
at EventImpl.dispatch_ (extensions::event_bindings:378:35)
at EventImpl.dispatch (extensions::event_bindings:401:17)
edit 2:
I've changed it to the following, but I'm still getting the same trace.
Header set X-Content-Security-Policy: "allow 'self' https://www.youtube.com; options inline-script; img-src 'self' data:"
Upvotes: 2
Views: 1841
Answers (1)
Reputation: 33538
If you want to prevent scripts being loaded apart from those specified, you need a Content Security Policy, not a crossdomain.xml file.
A CSP can help prevent XSS attacks because only authorised content is allowed to execute. So if a malicious user injects some script into the page, the script will not execute if unsafe inline is not specified by your policy.
Update after edit
If you need YouTube to access your site cross-domain, then you need to implement CORS. This is essentially the output of the Access-Control-Allow-Origin header from your pages to allow other domains to bypass the Same Origin Policy and access your content client side.
Upvotes: 1
Related Questions
- Effective Content Security Policy definition for YouTube.com
- CSP for embedding youtube video
- Error in setting Content Security Policy for loading video from another domain
- Using Youtube iframe api in cross origin isolated site
- How to whitelist the Youtube domain in Cordova?
- Access-Control-Allow-Origin not working for iframe within the same domain
- content security policy: allow site A to embed content from site B (csp blocked error appears on site A)
- Refused to frame 'https://www.youtube.com/embed/xxxxx because it violates Content Security Policy directive
- is not allowed by Access-Control-Allow-Origin
- Work around for iFrame cross domain policy?