Reputation: 103
Refused to frame * because it violates the following Content Security Policy directive: "frame-src for File Download
Recently we integrated a third party script Pendo.js for application inspection of end user usability. To allow this script we have added relevant Content-Security-Policy changes to the Nginx server config file. The Pendo.js script was injected properly and is performing as expected.
But during the excel file download through an API call we are facing the following error.
CSP Header: add_header Content-Security-Policy " default-src 'self' https:; script-src-elem 'self' 'unsafe-inline' https://.pendo.io; script-src 'self' https://.pendo.io pendo-io-static.storage.googleapis.com pendo-static-5725335814144000.storage.googleapis.com https://.pendo.io 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://netdna.bootstrapcdn.com .marketmedium.net 'unsafe-inline' https://.pendo.io pendo-static-5725335814144000.storage.googleapis.com; font-src 'self' 'unsafe-eval' https://fonts.gstatic.com https://netdna.bootstrapcdn.com; img-src 'self' data: .marketmedium.net https://.pendo.io pendo-static-5725335814144000.storage.googleapis.com https://.pendo.io 'unsafe-inline' 'unsafe-eval'; object-src 'none'; connect-src .marketmedium.net https://.pendo.io pendo-static-5725335814144000.storage.googleapis.com;frame-ancestors https://.pendo.io; frame-src https://.pendo.io 'unsafe-inline' 'unsafe-eval'; child-src https://*.pendo.io;";
Error: Refused to frame 'dashboardReportDownload?columnNames%5B0%5D=&columnNames%5B1%5D=copy_deal&columnNames%5B2%5D=deal_name&columnNames%5B3%5D=deal_number&columnNames%5B4%5D=deal_status&columnNames%5B5%5D=organization_name&columnNames%5B6%5D=deal_type_name&columnNames%5B7%5D=edh%23id&columnTexts%5B0%5D=&columnTexts%5B1%5D=Copy&columnTexts%5B2%5D=Deal%20Name&columnTexts%5B3%5D=Deal%20Number&columnTexts%5B4%5D=Status&columnTexts%5B5%5D=Organization&columnTexts%5B6%5D=Deal%20Type&columnTexts%5B7%5D=edh%23id&inClauseFields%5B0%5D=edh%23id&edh%23id%5B0%5D=1091&reportId=61f7d68ea90238841a92a0d0&reportViewName=Deal%20Sheet%20Report&downloadFileType=xlsx' because it violates the following Content Security Policy directive: "frame-src https://.pendo.io".
VM3432:6750 crbug/1173575, non-JS module files deprecated.
Upvotes: 0
Views: 4818
Answers (1)
Reputation: 3455
Your say your frame-src directive is set to "https://*.pendo.io 'unsafe-inline' 'unsafe-eval'" (saying 'seems' as the * character is removed and causing parts of your question to be in italics). Although the error message says that frame-src is just "https://*.pendo.io". When downloading a frame from an undisclosed source is created.
If you addded frame-src to your policy to support pendo, you are no longer using the fallback to default-src which allows "'self' https:". You have thus moved from accepting all sources for frames to only allowing *.pendo.io. You will need to add the blocked host (potentially 'self') to frame-src.
Upvotes: 0
Related Questions
- How can I get/store span duration with Rust tracing?
- How can I log span duration with Rust tracing?
- How do I read the entire body of a Tokio-based Hyper request?
- How can tokio tasks access shared data in Rust?
- How to access the value of a field in a tracing span?
- Web scraping: how to find first `span` by its text content
- Read Childstdout without blocking
- Rust How to Get Contents of Arc
- Retrieve sibling elements using the scraper crate
- How do I get the inner text of elements using the scraper crate?