I have a web app which I want to display in an iframe in web apps with different domains. Since I have added a content-security-policy header my app refuses to display in iframe. I saw that i need to add frame-ancestors options but all the examples I see are using specific domains. How can I allow it for all domains? Is "frame ancestors *;" enough? Thanks!
Briefly - yes, * allows any sources for iframe except data:.
Pleaes note that frame-ancestors is not supported in the meta tag <meta http-equiv='Content-Security-Policy' content="..."> (but looks like you use HTTP header to deliver CSP, so this warning is not for you).
But if you really wish to allow all frame ancestors - more reliable not specify frame-ancestors directive at all, because for now Mozilla Firefox has some bugs with it.
PS: You did not attach print screen of errors in browser console - may be iframes was blocked by other reason than CSP?
Updated after exposed CSPs details
<html>
parent page issues CSP: default-src 'self';
since frame-src omitted, its fallback to default-src and result will be: frame-src 'self'
<iframe src=''></iframe>
</html>
iframe is allowed with the same scheme://host:port as parent page loads.
'self' is tricky in that if parent loaded via HTTP:, iframe via HTTPS: will be blocked in CSP2-browsers. CSP3-browsers do upgrade (see para 3) HTTP: to HTTPS:, so all OK.
If parent page issue frame-ancestors * policy, it means you allow to embed it into iframe to any another webpage.
X-Frame-Options HTTP header provide the same functionality, but it's overridden if frame-ancestor is issued.
<iframe> embed into page who published this CSP. It affects where it allowed to embed this page.<iframe> could publish its own CSP with rule frame-ancestors domain1.com domain2.com to restrict it embedding to other web-pages.That's how it works. You could play with test of frame-ancestors to clarify details for different <iframe src=/srcdoc=.
Therefore, if you embed iframe from your own domain/subdomains, it's more safe to use:
frame-ancestors 'self';
or if you use subdomains:
frame-ancestors http://example.com https://example.com http://*.example.com https://*.example.com;