Reputation: 2330
iframe refuses to display
I am trying to load a simple iframe into one of my web pages but it is not displaying. I am getting this error in Chrome:
Refused to display 'https://cw.na1.hgncloud.com/crossmatch/index.do' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' https://cw.na1.hgncloud.com".
Invalid 'X-Frame-Options' header encountered when loading 'https://cw.na1.hgncloud.com/crossmatch/index.do': 'ALLOW-FROM https://cw.na1.hgncloud.com' is not a recognized directive. The header will be ignored.
This is the code for my iframe:
<p><iframe src="https://cw.na1.hgncloud.com/crossmatch/" width="680" height="500" frameborder="0"></iframe></p>
I am not really sure what that means. I have loaded plenty iframes before and never received such errors.
Any ideas?
Upvotes: 114
Views: 420207
Answers (5)
Reputation: 2250
The same issue appears to me, don't open the page in a private window.
You can use multiple browsers if you need to log in with different users.
Upvotes: 1
Reputation: 950
In my case it was that the site i was embedding had a specific url for embedding content and a different url for sharing
the url i had set in the iframe was
https://site/share/2432423232
changing it to
https://site/embed/2432423232
worked for me
Upvotes: 3
Reputation: 24886
For any of you calling back to the same server for your IFRAME, pass this simple header inside the IFRAME page:
Content-Security-Policy: frame-ancestors 'self'
Or, add this to your web server's CSP configuration.
Upvotes: 4
Reputation: 3184
The reason for the error is that the host server for https://cw.na1.hgncloud.com has provided some HTTP headers to protect the document. One of which is that the frame ancestors must be from the same domain as the original content. It seems you are attempting to put the iframe at a domain location that is not the same as the content of the iframe - thus violating the Content Security Policy that the host has set.
Check out this link on Content Security Policy for more details.
Upvotes: 24
Reputation: 3334
It means that the http server at cw.na1.hgncloud.com send some http headers to tell web browsers like Chrome to allow iframe loading of that page (https://cw.na1.hgncloud.com/crossmatch/) only from a page hosted on the same domain (cw.na1.hgncloud.com) :
Content-Security-Policy: frame-ancestors 'self' https://cw.na1.hgncloud.com
X-Frame-Options: ALLOW-FROM https://cw.na1.hgncloud.com
You should read that :
- https://developer.mozilla.org/en-US/docs/Web/Security/CSP
- https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
Upvotes: 105
Related Questions
- iFrame not showing inline HTML content
- html : iframe not showing content in html
- iFrame don't want to display
- My iframe is not showing for some reason
- Iframe content not showing
- IFRAME won't load content from page
- iframe not displaying properly
- iFrame not working - turns up blank
- can't display the content of an iframe
- iframe from my website not loading