RubbleFord
Reputation: 7636
Content-Security-Policy + frame-ancestors
I'm trying to prevent my content being loaded into an IFrame, so I implemented the Content-Security-Policy header:
Response.AddHeader("Content-Security-Policy", "frame-ancestors *.twitter.com");
On purpose to test in various browsers I set it to twitter, in the hope when I framed my content it would break.
However I get the following warning in chrome yet the content is still shown.
Refused to display 'http://corsupport.azurewebsites.net/sandbox in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors *.twitter.com".
Fairly new to this policy so any advice would be great.
I've successfully implemented
Response.AddHeader("Access-Control-Allow-Origin", 'http:localhost:61021');
Upvotes: 4
Views: 8256
Answers (1)
RubbleFord
Reputation: 7636
It's actually a chrome bug which should now be fixed in the dev channel.
Upvotes: 2
Related Questions
- Content Security Policy directive: "frame-ancestors 'self'
- content security policy frame-ancestors
- How to allow all frame ancestors with CSP header?
- CSP: frame-ancestor failing
- Content security policy for frame. frame-src vs frame-ancestors
- How can I add local site to the frame-ancestors of a Content Security Policy?
- Content Security Policy directive: “frame-ancestors” missing but there?
- Content security policy frame-ancestors not working in IE 11
- Using Content-Security-Policy frame-ancestors with HAproxy
- frame-ancestors of Content-Security-Policy is not working in Chrome, Firefox and IE