Reputation: 103
Neo4j browser in an iframe - how to set frame-ancestors security policy
With Neo4j community version 3.1.1, I successfully embedded the Neo4j browser in an iframe in a web application I created. With version 3.2.0, the following error occurs when trying to view the browser through an iframe:
Refused to display 'http://xxxxxx:7474/browser/' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
Is there a way to configure the Neo4j server to set Content-Security-Policy: frame-ancestors 'self' or to the specific address where I am running Neo4j?
Upvotes: 3
Views: 1346
Answers (1)
Reputation: 3745
This behavior is due to the following headers (as for Neo4J 3.2.1):
- Content-Security-Policy: frame-ancestors 'none'
- X-Frame-Options: DENY
Those headers are hardly enforced by the org.neo4j.server.web.StaticContentFilter that is statically loaded by org.neo4j.server.web.Jetty9WebServer.loadStaticContent(SessionManager, String)
So for now, it seems there is no option or parameter that can be used to by-pass this security.
Any update is welcome !
Upvotes: 1
Related Questions
- Content Security Policy directive: "frame-ancestors 'self'
- content security policy frame-ancestors
- Refused to frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors
- Error: "Content Security Policy directive: "frame-ancestors 'self'" when trying to create iframe in Jupyter Notebook
- Content-Security-Policy frame-ancestors 'none' not working
- Using Content-Security-Policy frame-ancestors with HAproxy
- Restrict or prevent iframe navigation
- How can I prevent an iframe from accessing parent frame?
- How to secure Neo4j browser
- How to forbid framing