How to set right Content Security Policy with apache

Question

I don´t know how to solve and issue with Problem Content Security Policy.

I have apache2 running debian on a raspberry.

I one on my web im calling to this script:

https://sis.redsys.es/sis/NC/redsys.js

And Only works on IE11 :(

On chrome and Firefox dont work.

I add this lines to security.conf on apache

Header set X-Frame-Options: "sameorigin"
Header append X-Frame-Options "ALLOW-FROM https://sis.redsys.es/sis/NC/redsys.js"
Header append X-Frame-Options "ALLOW-FROM https://sis.redsys.es*"
Header append X-Frame-Options "ALLOW-FROM https://www.redsys.es/"
#Header set Content-Security-Policy: "default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'"

But it still not working.

I getthis from Chrome:

Refused to display 'https://sis.redsys.es/sis/getInputNC?buttonValue=5061676172&styleButton=&styleBody=&styleBox=&styleBoxText=&frame=inSite&fuc=323233313038383533&terminal=31&order=303030304153' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors https://www.bancsabadell.com https://www.google.es".

Answer 1

This gets A+ score from observatory.mozilla.org :

Header set Content-Security-Policy "default-src 'none'; img-src 'self' data:; media-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' data:; font-src 'self' data:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self' sis.redsys.es; frame-ancestors 'self'"

If your website needs to add 'unsafe-inline' to script-src then it will drop scoring to B.

Answer 2

I have been looking at this for some time now, and what it basically says is that www.redsys.es doesn't allow you to use their content in an iFrame.