Reputation: 33
I have a strange problem with an IIS hosted website. The site has two bindings. Lets call them https://abc.xxx.com and https://def.yyy.com.
I have set the following for CSP
Content-Security-Policy: frame-ancestors 'self' https://*.xxx.com
There is a page on that website that has an iframe with src="https://abc.xxx.com/somepath". When I access the page from the first URL binding the iframe loads fine. If I access it with the second I get:
Refused to frame 'https://abc.xxx.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' https://*.xxx.com
Now for the even weirder part. If I change my CSP to include the second binding like below, the iframe loads.
Content-Security-Policy: frame-ancestors 'self' https://*.xxx.com https://*.yyy.com
I can't explain why this is the case. The iframe src is clearly using the first binding. Why would it require the second one in order to work? There is no redirect going on from one binding to another. I tried removing the wildcards and putting the whole binding but there was no change.
Any input is appreciated!
Upvotes: 0
Views: 1521
Reputation: 8546
There is nothing weird, have a look at the scheme below. I have just removed subdomains and https://
scheme, they both don't matter in this case:
xxx.com in address bar
frame-ancestors 'self' xxx.com
.---<iframe src= xxx.com/path ---.
| frame-ancestors 'self' xxx.com |
| |
'--------------------------------'
Iframe is loaded because xxx.com
in the address bar falls under frame-ancestors 'self' xxx.com
(under both of sources: 'self'
and xxx.com
).
yyy.com in address bar
frame-ancestors 'self' xxx.com
.---<iframe src= xxx.com/path ---.
| frame-ancestors 'self' xxx.com |
| |
'--------------------------------'
Iframe is not loaded because yyy.com
in the address bar does not fall under either 'self'
or xxx.com
.
Just a violation message:
Refused to frame 'https://abc.xxx.com/' because an ancestor violates
the following Content Security Policy directive: "frame-ancestors 'self' https://*.xxx.com
is a little bit misleading and should be treated as:
Refused to frame 'https://abc.xxx.com/' because an ancestor HTTPS://YYY.com violates
the following Content Security Policy directive: "frame-ancestors 'self' https://*.xxx.com
Upvotes: 1