Reputation: 175
Courtesy page when CSP frame-ancestors refuse the connection
I would like to make my website embeddable only to selected domains so I've used the CSP directive frame-ancestors:
Content-Security-Policy: frame-ancestors 'self' https://example.com/;
It works well, in fact, when I try to embed a page from mysite it displays:
mysite.com has refused the connection.
How can I show a courtesy page or a custom message instead of the one above?
Upvotes: 2
Views: 129
Answers (1)
Reputation: 421
You can use 'report-uri' directive in your CSP header. It allows you to specify a URL where the browser will send reports when a violation of your CSP policy occurs. When a connection is refused by 'frame-ancestors', a cuystom message may be displayed.
Create custom page/message that you wish to display when connection are refused.
Host the aforementioned page and write down your fresh URL.
In CSP header of your main site, add the
report-uridirective and set the URL as the value:Content-Security-Policy: frame-ancestors 'self' https://myexample.net/; report-uri https://myerrorsite.net/custom-message.html
Upvotes: 0
Related Questions
- Content Security Policy directive: "frame-ancestors 'self'
- content security policy frame-ancestors
- How to allow all frame ancestors with CSP header?
- CSP: frame-ancestor failing
- Content Security Policy directive: “frame-ancestors” missing but there?
- CSP: frame-src violation with empty blocked-uri
- Content security policy frame-ancestors not working in IE 11
- CSP: child-src and frame-src deprecated
- frame-ancestors of Content-Security-Policy is not working in Chrome, Firefox and IE
- Content-Security-Policy + frame-ancestors