Content Security Policy Error when rendering iframe from specified website

Question

I am currently trying to allow specific websites to render an iframe of my website, but the following Content Security Policy added to my root web.config file doesn't seem to be doing the trick:

<add name="Content-Security-Policy" value="frame-ancestors https://https://iframetester.com/;" />

I get the following error:

Refused to frame 'My website URL' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".

What is it that I'm missing/not understanding and how do I allow only specific websites to render an iframe from my website?

Answer 1

I ended up finding the issue to my specific situation. The website I have has other applications code hosted upon it, which already had some HTTP Header Responses baked within it. This is why I wasn't able to change this setting.

Answer 2

It is the website you are trying to embed that has the setting frame-ancestors 'self', which means that it can only be framed by other pages with the same host. Other hosts are not allowed to frame it. Adding your own frame-ancestors only restricts who can frame your page. You have 3 options

1. Do not frame this page is it is not intended to be framed by others.
2. Ask if your host can be added to the list of allowed framers.
3. Load the page through a proxy that removes the content-security-policy header. But don't do this, the setup will be messy, and there are likely good reasons framing was disallowed in the first place.