Reputation: 7639
content security policy: allow site A to embed content from site B (csp blocked error appears on site A)
One of our servers (VideoServer) recently had its config changed. Since that time I'm getting Content Security Policy errors with pages served from FrontEndServer, where those pages have an embedded iframe sourced to VideoServer
I've gone so far as to temporarily set FrontEndServer's httpd config to have only the following header: Header always append X-Frame-Options ALLOW, being sure to restart the httpd service after the change.
Continue to get CSP error when viewing the front end content on FrontEndServer:
Blocked by Content Security Policy
An error occurred during a connection to VideoServer.
Is it possible to configure VideoServer's CSP policy such that FrontEndServer would get CSP blocked errors when attempting to iframe content from VideoServer? I'm not wanting that to happen, am trying to track down what the issue is.
Upvotes: 1
Views: 2228
Answers (1)
Reputation: 7639
Got this sorted by more closely reading documentation. I needed to configure VideoServer to allow specific external sites (eg, FrontEndServer) to display it's content. This is handled with the frame-ancestors option.
FrontEndServer config:
(note we are aware about the inline styles/scripts - this is a legacy site so a lot of work has to be done)
Header set Content-Security-Policy "frame-ancestors 'self' ursula.genetics.emory.edu https://www.googletagmanager.com https://www.google-analytics.com https://browser-update.org ; script-src 'self' 'unsafe-inline' https://googletagmanager.com https://browser-update.org https://www.googletagmanager.com; style-src 'self' 'unsafe-inline'; default-src 'self' 'unsafe-inline'; frame-src 'self' VideoServerURL; "
Header set X-XSS-Protection: "1; mode=block"
Header set X-Content-Type-Options: nosniff
Header set X-WebKit?-CSP: "default-src 'self'"
Header set X-Permitted-Cross-Domain-Policies: "master-only"
Header set Cache-Control "no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires 0
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
VideoServer config:
Header set Content-Security-Policy "frame-ancestors 'self' FrontEndServerURL;"
Header set X-XSS-Protection: "1; mode=block"
Header set X-Content-Type-Options: nosniff
Header set X-WebKit-CSP: "default-src 'self'"
Header set X-Permitted-Cross-Domain-Policies: "master-only"
Header set Cache-Control "no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires 0
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains
Hope someone else finds this of use.
Upvotes: 1
Related Questions
- Loading of a resource blocked by Content Security Policy
- CSP for embedding youtube video
- Error in setting Content Security Policy for loading video from another domain
- How do I allow a iframe with a content security policy (CSP)
- CORP Blocking an Obviously Same-Origin Request with CSP sandbox Set
- Content Security Policy is Blocking URI in Allowed Domain
- CSP: frame-src violation with empty blocked-uri
- CSP policy error - Unable to show iframe from subdomain of primary source
- Refused to frame 'https://www.youtube.com/embed/xxxxx because it violates Content Security Policy directive
- Cross Domain policy allow Youtube