Content-Security-Policy frame-ancestors not working

harvey

3/10/24, 3:02 AM

I'm running an OpenLiteSpeed server and would like to only allow webpages that start with a specific url on my site (e.g. https://example.com/video/**) to be iframed by others. (I want to allow anyone to add an iframe to their site, but they can only iframe https://example.com/video/**)

I added this line to my headers Content-Security-Policy "frame-ancestors 'self' https://example.com/video/", but the iframe (placed on another domain) won't load, and I get this error in console: Refused to frame 'https://example.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' https://example.com/video/".. I also tried without 'self' and it still didn't work.

I would really appreciate if someone can assist me with this!

Thanks!

696

0 + 2

security

http-headers

Yomna Mansour

3/22/24, 12:40 PM

Have solved it? I've the same problem

harvey

3/23/24, 5:34 PM

@YomnaMansour Unfortunately not.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Content-Security-Policy frame-ancestors not working

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.