1

I have an iframe embedded in an ASP.NET web form. I have included what I thought was the correct Content-Security-Policy values in the web.config.

However, I still get a CSP violation in the web browser as follows:

Refused to frame 'https://www.{xyz}.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors https://*.{abc}.com https://{abc}.com".

I have my web.config configured as follows:

<add name="Content-Security-Policy" 
     value="frame-src 'self' https://*.{xyz}.com https://*.{abc}.com; frame-ancestors https://*.{abc}.com https://*.{xyz}.com;" />

I have tried all possible configurations which is why I just decided to put the two sites in both the frame-src and frame-ancestors keys.

I've spent some time on this, but to no avail. Any suggestions would be great. Thanks.

Improve this question
1
  • "I have my web.config configured as follows" - and that applies to which of the sites? xyz.com? abc.com? Both of them? Commented Sep 25 at 7:20

1 Answer 1

Reset to default
0

First, some info on the CSP directives you are using.

frame-src controls who you are allowed to frame on your site.

frame-ancestors controls who is allowed to put your site in a frame on their site.

If your site is abc.com, and you are trying to frame xyz.com, then the CSP you need is:

frame-src xyz.com

When you frame xyz.com on your site, note that xyz.com might have a CSP with frame-ancestors that prevents you from doing that.

Looking more specifically at your error message, this seems to be the problem.

Refused to frame 'https://www.{xyz}.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors https://*.{abc}.com https://{abc}.com".

You have tried to frame xyz.com which has a CSP with frame-ancestors https://.{abc}.com https://{abc}.com that is preventing you from doing that. This means that your site is not one of *.abc.com or abc.com. If you control xyz.com then you need to update the CSP there to allow the site that is trying to frame it.

Useful Links

The CSP 2 RFC says that frame-src was deprecated: https://www.w3.org/TR/CSP2/#directive-frame-src

The CSP 3 RFC undeprecated frame-src: https://www.w3.org/TR/CSP3/?ref=scotthelme.co.uk#changes-from-level-2

My CSP cheat sheet might help you: https://scotthelme.co.uk/csp-cheat-sheet/

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.