1

We are getting a frame-ancestors related iframe error when attempting to use the hellosign-embedded library from our application, the application is hosted in Firebase

example of error message:

Refused to frame 'https://app.hellosign.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".

example of headers configuration for firebase hosting:

"headers": [
  {
    "source": "**/*",
    "headers": [
      {
        "key": "Cache-Control",
        "value": "no-cache"
      },
      {
        "key": "Content-Security-Policy",
        "value": "frame-ancestors 'self' *://*.hellosign.com"
      }
    ]
  }
]

So either these settings are not being recognized, or there is a deeper issue.

David
  • 5,882
  • 3
  • 33
  • 44
Jeff Voss
  • 3,637
  • 8
  • 46
  • 71
  • 1
    Have you confirmed that the header is present and has the correct value? – Phil Jul 11 '22 at 03:11
  • Short answer, no it doesn't - I've checked the response headers on the document – Jeff Voss Jul 11 '22 at 03:29
  • 1
    Have you deployed the hosting changes? – Phil Jul 11 '22 at 03:48
  • Yes, I've created another question more pointed to viewing firebase hosting configuration, doesn't seem to be a way to do it – Jeff Voss Jul 11 '22 at 04:02
  • 1
    The [docs](https://firebase.google.com/docs/hosting/full-config) say there is a way... _You can check the deployed firebase.json content using the [Hosting REST API](https://firebase.google.com/docs/reference/hosting/rest/v1beta1/sites.releases/list?apix_params=%7B%22parent%22%3A%22sites%2F%3Cyour-site-name%3E%22%2C%22pageSize%22%3A1%7D)._ – Phil Jul 11 '22 at 04:06
  • 1
    As an aside, I'd skip the wildcard for the URL scheme and just use `https://*.hellosign.com` – Phil Jul 11 '22 at 04:06
  • I have tried absolutely everything and still get same error. huge blocker for us right now. – Jeff Voss Jul 14 '22 at 21:39

0 Answers0