Reputation: 2210
Need help understanding a CSP Report and set the right frame-ancestor url
I am trying to include my web application as an Office add-in. The add-in includes my app using an iframe so I need to adjust the 'Content Security Policy' headers of my app to make it work.
Currently the value of the header is content-security-policy: frame-src 'self' ; frame-ancestors 'self'; object-src 'none';. If I set the header to content-security-policy: frame-src 'self' * ; frame-ancestors 'self' *; object-src 'none'; everything is working fine but I don't want to allow everyone to include my app using an iframe.
So I tried to restrict using something like content-security-policy: frame-src 'self' https://outlook.live.com; frame-ancestors 'self' https://outlook.live.com ; object-src 'none'; but that does not work. Chrome's JS console says : Refused to frame 'https://auth-recette-broc.kinexo.fr/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' https://outlook.live.com".
And the 'csp report' is:
{
"document-uri": "https://auth-mywebsite.xx/",
"referrer": "https://yy-mywebsite.xx/",
"violated-directive": "frame-ancestors",
"effective-directive": "frame-ancestors",
"original-policy": "frame-src 'self' https://outlook.live.com; frame-ancestors 'self' https://outlook.live.com ; object-src 'none';",
"disposition": "report",
"blocked-uri": "https://auth-mywebsite.xx/",
"status-code": 0,
"script-sample": ""
}
I do not understand this csp-report
- Why the url of the parent frame URI (https://outlook.live.com) does not appear as
document-uri? - Why the frame is refused when the
document-uriandblocked-uriattributes are identical andselfis allowed to frame ? - How to know the expected url as frame-ancestor to allow framing ?
Upvotes: 0
Views: 1182
Answers (1)
Reputation: 8546
Why the url of the parent frame URI (https://outlook.live.com) does not appear as document-uri ?
The frame-ancestors directive is special - it acts to the parent page, while other directives act on page itself (which published the CSP).
Therefore in case of frame-ancestors violation, the document-uri is an Url of frame itself (it publishes CSP).
Why the frame is refused when the document-uri and blocked-uri attributes are identical and self is allowed to frame ?
blocked-uri in case of frame-ancestors is browser depend:
- Chrome shows as
blocked-urian URI of locked container(iframe) itself. - Firefox takes
blocked-urifrom top-level window (but for nesting level >1 Firefox has a bug and sends an emptyblocked-uri).
So, in Chrome blocked-uri will equal to the document-uri.
As I understand, you have a https://yy-mywebsite.xx page which embeds https://auth-mywebsite.xx/.
The https://auth-mywebsite.xx/ page publishes a CSP frame-ancestors 'self'; object-src 'none';
In this case 'self' means https://auth-mywebsite.xx/ therefore embedding into https://yy-mywebsite.xx is not allowed. You have to have at least frame-ancestors 'self' https://yy-mywebsite.xx; object-src 'none';
How to know the expected url as frame-ancestor to allow framing ?
The frame-ancestors directive checks all ancestors (the entire upstream chain of parents), not only nearest parent. Therefore you have to specify all hosts for which embeds your iframe is allowed.
Upvotes: 2
Related Questions
- Content Security Policy directive: "frame-ancestors 'self'
- content security policy frame-ancestors
- How to allow all frame ancestors with CSP header?
- CSP: frame-ancestor failing
- CSP: What all has an impact on the CSP-Reports
- How do I allow a iframe with a content security policy (CSP)
- Refused to frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors
- How do I correctly set CSP to allow for Iframe use on my own domains?
- Add binding specific CSP frame-ancestors HTTP header in IIS Site
- CSP policy error - Unable to show iframe from subdomain of primary source