8

I'm trying to load my content into an IFrame, so I implemented the Content-Security-Policy header: Content-Security-Policy: frame-ancestors http://*.example.com/abc.html.

I am able to load the content on iframe when I give the header as Content-Security-Policy: frame-ancestors http://*.example.com/.

But when I change the header to: Content-Security-Policy: frame-ancestors self http://*.example.com/abc.html. then the content on iframe is getting loaded for the first time but gives below error when I refresh the web page

Refused to display 'https://....' in a frame because an ancestor violates the following Content Security Policy directive: frame-ancestors self http://*.example.com/abc.html.

Can anyone tell why its giving error on refreshing the page. Also does frame-ancestors considerers the full url (http://.example.com/abc.html) or only the hostname like http://.example.com?

user16806836
  • 91
  • 1
  • 1
  • 3
  • CSP frame-ancestors can only restrict framing, so setting it won't make it easier to load. It is not clear on which of the pages you set the CSP. If A frames B then frame-ancestors on B will determine if A is allowed to frame the content, while frame-ancestors only on A will have no impact. You should make your question more clear. Finally it is 'self' with single quotes. – Halvor Sakshaug Sep 01 '21 at 18:26
  • Hi @Halvor Sakshaug , thanks for answering. I am trying to load some content from A into an iframe of B. for that I have set a CSP header on the server of A and getting the errors as mentioned above. Also can u please elaborate 'If A frames B' ? does it mean B is getting loaded on iframe of A? – user16806836 Sep 01 '21 at 18:55
  • Yes if A frames B means that Site A is loading Site B into an iFrame. The frame-ancestors have to be set on Site B. – Viking22 Sep 02 '21 at 20:47
  • You cannot specify file names in the frame-ancestors.. only URLs or IP addresses are allowed.. Internet hosts by name or IP address, as well as an optional URL scheme and/or port number, separated by spaces. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source. Single quotes surrounding the host are not allowed. – Prabhu Thomas Jan 18 '22 at 10:28

2 Answers2

8

Chrome browser has a bug - it's not support paths in the frame-ancestors directive. Safari nas the same bug, and only lasets Firefox supports paths in this directive.

So for frame-ancestors instead of http://.example.com/abc.html you have to use http://.example.com host-source.
For other directives you can use paths and filenames.

granty
  • 7,234
  • 1
  • 14
  • 21
  • Is this bug present in Edge Chromium too? – Viking22 Sep 03 '21 at 20:29
  • I think - yes, but I don't have an Edge Chromium browser for real testing. You can test any browser using the link above. – granty Sep 03 '21 at 21:18
  • It is not a bug, it is according to the specification, it must be a host-source, scheme-source, 'self' or 'none. – Halvor Sakshaug Sep 06 '21 at 06:05
  • 3
    It's a bug since the CSP specification defines the [host-source including the paths](https://www.w3.org/TR/CSP3/#grammardef-host-source) as well as the scheme, the port number and the file name. Also note that according to spec, the `frame-ancestors` does not support a wildcard `*`, but in real life it supports it. Therefore, the specification is not always the final truth - browsers can interpret it in their own way. – granty Sep 06 '21 at 14:26
  • Is it listed on https://bugs.chromium.org/ ? – Nest Jul 31 '22 at 08:42
0

Without a working example it is hard to know exactly what the problem is. But based on the specification, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors, some adjustments to your CSP can be advised:

  • Remove the path, it is not according to the specification to use more than the scheme, host and port.
  • Use the expected scheme (http/https) or remove the scheme.
  • Use wildcard https://*.example.com, not just https://.example.com
  • Use 'self', not self
Halvor Sakshaug
  • 2,583
  • 1
  • 6
  • 9
  • Regarding Remove the path, it is not according to the specification to use more than the scheme, host and port. as mentioned by @granty - is this a bug then? Or are path-parts not supported for CSP Frame Ancestors? – Viking22 Sep 03 '21 at 21:21
  • As the specification says, it can only be a host-source, scheme-source, 'self' or 'none'. Not accepting path is according to the specification, so that is not a bug. – Halvor Sakshaug Sep 06 '21 at 06:05