Reputation: 33
CSP: frame-ancestor failing
I have a strange problem with an IIS hosted website. The site has two bindings. Lets call them https://abc.xxx.com and https://def.yyy.com.
I have set the following for CSP
Content-Security-Policy: frame-ancestors 'self' https://*.xxx.com
There is a page on that website that has an iframe with src="https://abc.xxx.com/somepath". When I access the page from the first URL binding the iframe loads fine. If I access it with the second I get:
Refused to frame 'https://abc.xxx.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' https://*.xxx.com
Now for the even weirder part. If I change my CSP to include the second binding like below, the iframe loads.
Content-Security-Policy: frame-ancestors 'self' https://*.xxx.com https://*.yyy.com
I can't explain why this is the case. The iframe src is clearly using the first binding. Why would it require the second one in order to work? There is no redirect going on from one binding to another. I tried removing the wildcards and putting the whole binding but there was no change.
Any input is appreciated!
Upvotes: 0
Views: 1521
Answers (1)
Reputation: 8546
There is nothing weird, have a look at the scheme below. I have just removed subdomains and https:// scheme, they both don't matter in this case:
xxx.com in address bar
frame-ancestors 'self' xxx.com
.---<iframe src= xxx.com/path ---.
| frame-ancestors 'self' xxx.com |
| |
'--------------------------------'
Iframe is loaded because xxx.com in the address bar falls under frame-ancestors 'self' xxx.com (under both of sources: 'self' and xxx.com).
yyy.com in address bar
frame-ancestors 'self' xxx.com
.---<iframe src= xxx.com/path ---.
| frame-ancestors 'self' xxx.com |
| |
'--------------------------------'
Iframe is not loaded because yyy.com in the address bar does not fall under either 'self' or xxx.com.
Just a violation message:
Refused to frame 'https://abc.xxx.com/' because an ancestor violates
the following Content Security Policy directive: "frame-ancestors 'self' https://*.xxx.com
is a little bit misleading and should be treated as:
Refused to frame 'https://abc.xxx.com/' because an ancestor HTTPS://YYY.com violates
the following Content Security Policy directive: "frame-ancestors 'self' https://*.xxx.com
Upvotes: 1
Related Questions
- How to allow all frame ancestors with CSP header?
- Refused to frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors
- Add binding specific CSP frame-ancestors HTTP header in IIS Site
- Content Security Policy directive: “frame-ancestors” missing but there?
- CSP: frame-src violation with empty blocked-uri
- Content security policy frame-ancestors not working in IE 11
- CSP: child-src and frame-src deprecated
- CSP policy error - Unable to show iframe from subdomain of primary source
- violated frame-ancestors with asterisk value
- Content-Security-Policy + frame-ancestors