CODEWITHSUNDEEP
content-security-policy
rbryn
rbryn

Reputation: 11

CSP policy error - Unable to show iframe from subdomain of primary source

I get the following error when trying to iframe something from an original source.

Refused to display 'https://www.aphis.usda.gov/something' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' *.usda.gov *.arcgis.com *.govdelivery.com".

The source page url is "http://soemthing.aphis.usda.gov/iframetest.html"

The full CSP is:

Content-Security-Policy:default-src *.usda.gov *.googleapis.com *.arcgis.com *.govdelivery.com; script-src 'unsafe-inline' 'unsafe-eval' 'self' *.bootstrapcdn.com *.google-analytics.com *.googleapis.com *.gstatic.com *.youtube.com *.ytimg.com api.flickr.com *.twitter.com *.twimg.com *.arcgis.com *.govdelivery.com *.addthis.com *.addthisedge.com *.usda.gov; connect-src *.bootstrapcdn.com *.usda.gov *.googleapis.com *.google-analytics.com *.facebook.com *.twitter.com *.arcgis.com *.govdelivery.com; img-src https: data:;style-src 'self' 'unsafe-inline' *.usda.gov *.googleapis.com *.bootstrapcdn.com *.arcgis.com *.govdelivery.com *.twitter.com *.twimg.com;child-src 'self' *.youtube.com *.arcgis.com *.addthis.com; frame-ancestors 'self' *.usda.gov *.arcgis.com *.govdelivery.com;

Everything appears correct to me. I have frame-ancestors set to allow a wildcard from *.usda.gov.

I'm trying to load it from something.aphis.usda.gov which should be allowed due to the wildcard... or do I need to set a wildcard for a subdomain of a subdomain "*.aphis.usda.gov"?

Upvotes: 1

Views: 2180

Answers (1)

Aleksandr Oleynikov
Aleksandr Oleynikov

Reputation: 117

The problem is that protocols of the source page (http://soemthing.aphis.usda.gov/iframetest.html) and the iframe page (https://www.aphis.usda.gov/something) are different. So they have different default ports.

Look at the page https://www.w3.org/TR/CSP2/#match-source-expression, #9:

If the source expression does not contain a port-part and url-port is not the default port for url-scheme, then return does not match.

In your case the source expression is *.usda.gov. There is no port number. The default port for https-protocol of your protected resource is 443. So the source page must have the same port 443. But you embed iframe into http-page whose default port is 80. So the ports do not match and you get an error about content security policy violation.

Upvotes: 1

Related Questions