Reputation: 111
I'm trying to load my content into an IFrame, so I implemented the Content-Security-Policy header:
Content-Security-Policy: frame-ancestors http://*.example.com/abc.html.
I am able to load the content on iframe when I give the header as
Content-Security-Policy: frame-ancestors http://*.example.com/.
But when I change the header to:
Content-Security-Policy: frame-ancestors self http://*.example.com/abc.html.
Then the content on iframe is getting loaded for the first time but gives below error when I refresh the web page
Refused to display 'https://....'
in a frame because an ancestor violates the following Content Security Policy directive:
frame-ancestors self http://*.example.com/abc.html.
Can anyone tell why it's giving error on refreshing the page.
Also, does frame-ancestors considers the full URL (http://*.example.com/abc.html
) or only the hostname like http://*.example.com
?
Upvotes: 10
Views: 58323
Reputation: 3475
Without a working example it is hard to know exactly what the problem is. But based on the specification, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors, some adjustments to your CSP can be advised:
Upvotes: 1
Reputation: 8546
Chrome browser has a bug - it's not support paths in the frame-ancestors
directive. Safari nas the same bug, and only lasets Firefox supports paths in this directive.
So for frame-ancestors
instead of http://.example.com/abc.html
you have to use http://.example.com
host-source.
For other directives you can use paths and filenames.
Upvotes: 8