mchinaloy
Reputation: 1494
Nginx CSP frame-src ignored
I have an Nginx CSP configured as follows:
add_header Content-Security-Policy "default-src 'self';script-src 'self' 'unsafe-eval' https://www.google-analytics.com/analytics.js;img-src 'self' https://ssl.google-analytics.com data:;style-src 'self' 'unsafe-inline';font-src 'self' 'unsafe-inline';frame-src 'self' https:;object-src 'self';connect-src 'self' ws:;media-src 'self'
When I try to load a page in Chrome I see:
Refused to frame 'https://myexternalwebsite.com/a/b/index.html' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
In my CSP frame-src is clearly set and has the values 'self' and https:
What could I be doing wrong?
Upvotes: 3
Views: 4908
Answers (1)
mchinaloy
Reputation: 1494
A bit strange but I managed to fix this by specifying:
frame-src 'self' *;
This satisfies my requirements.
Upvotes: 2
Related Questions
- Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback
- Nginx CSP script hash blocked
- CSP style-src SHA256 present, but browser issues warning that it isn't
- NGINX Parsing and failing Content Security Policy on reload
- Refused to frame '' because it violates the following Content Security Policy directive
- CSP: frame-src violation with empty blocked-uri
- Refused to frame '' because it violates the following Content Security (Empty Frame URL)
- CSP: child-src and frame-src deprecated
- Inline script violates Content Security Policy
- Content-Security-Policy: default-src *