Reputation: 336
How do I correctly set CSP to allow for Iframe use on my own domains?
I am trying to place an iframe on one of my pages with another webpage on my own domain as the source and getting the error that access has been denied. After looking up the issue, it seems the CSP is the problem. I have never set it up, and I'm guessing it is on by default or set up by my hosting provider. Either way, I have tried many solutions I found online and none are working.
I have read over https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
I have tried setting the CSP in the html of the page being placed in the iframe with various syntax.
And, I have tried setting it in my htaccess file with various syntax.
However, none of my attempts has changed the situation and allowed the iframe to be loaded... How do I solve this?
Ideally, I would like to allow my domain and subdomains to do this through htaccess so it works site-wide.
EDIT: I found that adding this line to my htaccess seems to work on some level, but now instead I get a different error, "Requests to the server have been blocked by an extension."
Header set Content-Security-Policy "frame-src *.dustynaltimus.com;"
Upvotes: 2
Views: 5010
Answers (1)
Reputation: 336
Found the solution:
Header always set Content-Security-Policy "frame-ancestors https://*.mysite.com;"
Upvotes: 7
Related Questions
- How to allow all frame ancestors with CSP header?
- How do I allow a iframe with a content security policy (CSP)
- How to use CSPs on iFrames
- Content-Security-Policy (CSP) workaround for internet explorer
- CSP policy error - Unable to show iframe from subdomain of primary source
- CSP without unsafe-inline register onload handler for cross-origin iframe
- Enabling CSP's unsafe-eval in an iframe
- Content-Security-Policy: default-src *
- CSP header in firefox iframes working on whole page with dynamic content
- Content Security Policy, X-Frame-Options, and localhost