I want to add an iframe into my html page.
The reason for this is to, hopefully, be able to set values into the "localstorage" for that iframe / sub-domain.
I put the tag for the iframe like so: <iframe src="https://yt.localtest.me"></iframe>
.
Then I add the following inside the head of the page: <meta http-equiv="Content-Security-Policy" content="frame-src 'self' *.localtest.me">
I have tried many other variations of this.
The "Web developer tools" only gives me the following information: Content Security Policy: The page’s settings blocked the loading of a resource at https://yt.localtest.me/ (“frame-src”).
.
There are never any requests going to this sub-domain as far as I can see. But in I have removed the "x-frame-options" returned by Nginx which was set to "Deny".
Why am I seeing this error, and how can I fix it?
Btw, I am seeing this on both Firefox and Chrome.
Response headers for the containg page is:
HTTP/2 200 OK content-type: text/html; charset=utf-8 date: Thu, 05 Jan 2023 12:55:59 GMT server: Kestrel x-frame-options: DENY x-xss-protection: 1; mode=block x-content-type-options: nosniff strict-transport-security: max-age=31536000 referrer-policy: strict-origin-when-cross-origin content-security-policy: script-src 'self' https://cdn.jsdelivr.net 'nonce-Hc3huW7RDIa1gqTxo/n05 MhyPwBpRiokpv12 2uNN4='; default-src 'self'; frame-src https://cdn.jsdelivr.net; img-src 'self' https://cdn.jsdelivr.net data:; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; base-uri 'none'; font-src 'self' https://cdn.jsdelivr.net; connect-src 'self' * ws: wss: localhost:* localtest.me:* X-Firefox-Spdy: h2
CodePudding user response:
What happens if you don't add the meta tag with CSP? Do you get the same error message?
I think the most likely explanation is another CSP, likely set in a response header, and that you try to amend this by adding another policy. But another policy can only add restrictions, not loosen any set by another policy. If this is the case, you should change or remove the CSP set in the response hader and remove the meta version if necessary.