content security policy frame-ancestors

Asked 1/9, 2021 at 16:37 Answered 3/9, 2021 at 4:33

security iframe frame content-security-policy mozilla

I'm trying to load my content into an IFrame, so I implemented the Content-Security-Policy header: Content-Security-Policy: frame-ancestors http://*.example.com/abc.html.

I am able to load the content on iframe when I give the header as Content-Security-Policy: frame-ancestors http://*.example.com/.

But when I change the header to: Content-Security-Policy: frame-ancestors self http://*.example.com/abc.html. then the content on iframe is getting loaded for the first time but gives below error when I refresh the web page

Refused to display 'https://....' in a frame because an ancestor violates the following Content Security Policy directive: frame-ancestors self http://*.example.com/abc.html.

Can anyone tell why its giving error on refreshing the page. Also does frame-ancestors considerers the full url (http://.example.com/abc.html) or only the hostname like http://.example.com?

Kinshasa answered 1/9, 2021 at 16:37 Comment(4)

CSP frame-ancestors can only restrict framing, so setting it won't make it easier to load. It is not clear on which of the pages you set the CSP. If A frames B then frame-ancestors on B will determine if A is allowed to frame the content, while frame-ancestors only on A will have no impact. You should make your question more clear. Finally it is 'self' with single quotes. – Carangid 1/9, 2021 at 18:26

Hi @Halvor Sakshaug , thanks for answering. I am trying to load some content from A into an iframe of B. for that I have set a CSP header on the server of A and getting the errors as mentioned above. Also can u please elaborate 'If A frames B' ? does it mean B is getting loaded on iframe of A? – Kinshasa 1/9, 2021 at 18:55

Yes if A frames B means that Site A is loading Site B into an iFrame. The frame-ancestors have to be set on Site B. – Gregoriagregorian 2/9, 2021 at 20:47

You cannot specify file names in the frame-ancestors.. only URLs or IP addresses are allowed.. Internet hosts by name or IP address, as well as an optional URL scheme and/or port number, separated by spaces. The site's address may include an optional leading wildcard (the asterisk character, ''), and you may use a wildcard (again, '') as the port number, indicating that all legal ports are valid for the source. Single quotes surrounding the host are not allowed. – Broddy 18/1, 2022 at 10:28

Chrome browser has a bug - it's not support paths in the frame-ancestors directive. Safari nas the same bug, and only lasets Firefox supports paths in this directive.

So for frame-ancestors instead of http://.example.com/abc.html you have to use http://.example.com host-source.
For other directives you can use paths and filenames.

Oberon answered 2/9, 2021 at 0:27 Comment(5)

Is this bug present in Edge Chromium too? – Gregoriagregorian 3/9, 2021 at 20:29

I think - yes, but I don't have an Edge Chromium browser for real testing. You can test any browser using the link above. – Oberon 3/9, 2021 at 21:18

It is not a bug, it is according to the specification, it must be a host-source, scheme-source, 'self' or 'none. – Carangid 6/9, 2021 at 6:5

It's a bug since the CSP specification defines the host-source including the paths as well as the scheme, the port number and the file name. Also note that according to spec, the frame-ancestors does not support a wildcard *, but in real life it supports it. Therefore, the specification is not always the final truth - browsers can interpret it in their own way. – Oberon 6/9, 2021 at 14:26

Is it listed on bugs.chromium.org ? – Shaniceshanie 31/7, 2022 at 8:42

Without a working example it is hard to know exactly what the problem is. But based on the specification, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors, some adjustments to your CSP can be advised:

Remove the path, it is not according to the specification to use more than the scheme, host and port.
Use the expected scheme (http/https) or remove the scheme.
Use wildcard https://*.example.com, not just https://.example.com
Use 'self', not self

Carangid answered 3/9, 2021 at 4:33 Comment(2)

Regarding Remove the path, it is not according to the specification to use more than the scheme, host and port. as mentioned by @Oberon - is this a bug then? Or are path-parts not supported for CSP Frame Ancestors? – Gregoriagregorian 3/9, 2021 at 21:21

As the specification says, it can only be a host-source, scheme-source, 'self' or 'none'. Not accepting path is according to the specification, so that is not a bug. – Carangid 6/9, 2021 at 6:5

Recommended topics

Hot tags