Refused to frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors

Question

So I implemented a CSP filter for tomcat. I am trying to show an iframe which is running locally on my tomcat server.

public class CSPFilter implements Filter {

    public static final String POLICY = "frame-ancestors https://10.10.11.172";

    @Override
    public void doFilter(ServletRequest request, ServletResponse response,
                         FilterChain chain) {
        if (response instanceof HttpServletResponse) {
            ((HttpServletResponse)response).setHeader("Content-Security-Policy", CSPFilter.POLICY);
        }
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException { }

    @Override
    public void destroy() { }

}

and included in web.xml

<filter>
  <filter-name>CSPFilter</filter-name>
  <filter-class>com.vocera.reportservice.CSPFilter</filter-class>
;
</filter>
<filter-mapping>
  <filter-name>CSPFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

but still I get the following error

Refused to frame 'https://10.10.11.172:8443/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors https://10.10.11.172".

Also tried with "frame-src 'self' https://10.10.11.172;" after that error went away but the page was blank

Answer 1

If the port is not the default port you will need to include it in the source of the CSP. As per https://www.w3.org/TR/CSP2/#match-source-expression

9. If the source expression does not contain a port-part and url-port is not the default port for url-scheme, then return does not match.

10. If the source expression does contain a port-part, then return does not match if both of the following are true:

    1. port-part does not contain an U+002A ASTERISK character (*)
    2. port-part does not represent the same number as url-port