CSP frame-ancestors self directive blocks page served from same origin
I have a nodejs app which serves
index.html for "/" route
test.html for "/test" route
app.get("/", (req, res) => {
res.sendFile(path.join(__dirname + "/index.html"));
});
app.get("/test", (req, res) => {
res.sendFile(path.join(__dirname + "/test.html"));
});
index.html has an iframe which embeds /test as below
<iframe
width="100%"
height="500px"
src="http://localhost:5500/test"
sandbox
></iframe>
In server.js, I am applying CSP as below:
app.use(function (req, res, next) {
res.setHeader("Content-Security-Policy", "frame-ancestors self");
next();
});
The content from /test route is blocked by Chrome saying
As per MDN for frame-ancestors,
The URL scheme and port are same for both are same i.e. http://localhost:5500
Host:
Content being iframed can be access independently:
Why is http://localhost:5500/test not being considered as sameorigin when compared to http://localhost:5500?
Minimal reproducible example - https://github.com/phalgunv/csp-demo-same-origin
Solution
Try surrounding "self" in single quotes:
res.setHeader("Content-Security-Policy", "frame-ancestors 'self'");
- Is it possible to pull css values with HTA javascript?
- What a strange syntax?
- JavaScript / Jest: How to show logs from test case only when test fails?
- How to secure my login page
- How can I create a two-way mapping in JavaScript, or some other way to swap out values?
- Route "/[locale]" used `params.locale`. `params` should be awaited before using its properties
- Page.locator() is the recommended way to select and interact with elements. Why does it offer less functionalities than Page.$()?
- How to filter object array based on attributes?
- How do you convert from emoji to unicode escapes in JS
- How to simulate a mouse click?
- Is it possible to add a single item to a vis.js timeline?
- How to ensure order of Cypress request execution
- Jquery Ajax Problem
- Can I run a function after navigating to a new page and waiting for that page to finish loading?
- Cannot start cocos after adding a new file
- Active link with React-Router?
- Is there a way to schedule offline notifications in a pwa?
- How to get the grid coordinates of an element using JavaScript?
- Bootstrap popper.js Failed to find a valid digest in the 'integrity' attribute for resource
- LeafLet map doesnt render properly on modal
- Create object from array
- How to ignore lines of code from coverage in vitest?
- How to manage CORS in Django
- How can I get an element's Accessible Name in javascript in the browser?
- TypeError: fs.readFileSync is not a function in Next.js
- Show hide divs on click in HTML and CSS without jQuery
- If an IIFE contains just one variable declaration that is immediately exported to global scope, why bother with it?
- Need explanation on following type of Javascript code
- What does an array literal with the `for` keyword inside mean in JavaScript?
- How to call a function every minute in a React component?