Adam Freymiller
Reputation: 1939
Content-Security-Policy frame-ancestors 'none' not working
I'm trying to disable all iframes from my website by setting it in the Content-Security-Policy headers of my response in the Node layer. According to Mozilla Developer Network, the property should look like this from the perspective of the client-side:
Content-Security-Policy: frame-ancestors 'none';
That's fine, here's how I'm setting it in the Node layer in my middleware:
app.use(function (req, res, next) {
/* Clickjacking prevention */
res.header('Content-Security-Policy', "frame-ancestors 'none'")
next()
})
and here's how it appears in the client-side when I inspect network activity:
However, when I embed a YouTube iframe, such as the following:
<iframe
width="420"
height="345"
src="https://www.youtube.com/embed/tgbNymZ7vqY"/>
it's not disabled. Why does the frame-ancestors policy appear to have no effect? Testing this on Chrome for what it's worth.
Upvotes: 3
Views: 9885
Answers (1)
Related Questions
- Content Security Policy directive: "frame-ancestors 'self'
- content security policy frame-ancestors
- How to allow all frame ancestors with CSP header?
- Setting iframe src via JS isnt working specifically for sharepoint
- Trying to render iframe: ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'"
- Refused to frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors
- Content Security Policy 'frame ancestors' directive not working in <meta> element
- frame-ancestors of Content-Security-Policy is not working in Chrome, Firefox and IE
- Content-Security-Policy: default-src *
- How can I prevent an iframe from accessing parent frame?