content security policy frame-ancestors

Question

I'm trying to load my content into an IFrame, so I implemented the Content-Security-Policy header:

Content-Security-Policy: frame-ancestors http://*.example.com/abc.html.

I am able to load the content on iframe when I give the header as

Content-Security-Policy: frame-ancestors http://*.example.com/.

But when I change the header to:

Content-Security-Policy: frame-ancestors self http://*.example.com/abc.html.

Then the content on iframe is getting loaded for the first time but gives below error when I refresh the web page

Refused to display 'https://....' in a frame because an ancestor violates the following Content Security Policy directive:

frame-ancestors self http://*.example.com/abc.html.

Can anyone tell why it's giving error on refreshing the page. Also, does frame-ancestors considers the full URL (http://*.example.com/abc.html) or only the hostname like http://*.example.com?

Answer 1

Without a working example it is hard to know exactly what the problem is. But based on the specification, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors, some adjustments to your CSP can be advised:

• Remove the path, it is not according to the specification to use more than the scheme, host and port.
• Use the expected scheme (http/https) or remove the scheme.
• Use wildcard https://*.example.com, not just https://.example.com
• Use 'self', not self

Answer 2

Chrome browser has a bug - it's not support paths in the frame-ancestors directive. Safari nas the same bug, and only lasets Firefox supports paths in this directive.

So for frame-ancestors instead of http://.example.com/abc.html you have to use http://.example.com host-source.
For other directives you can use paths and filenames.