I have published a web app (sub.domain.com) to an Internet Information Services (IIS) virtual server and now wish to display it in an iFrame on www.otherdomain.com. The published web.config file on the web server does not contain a CSP directive until one is automatically added in IIS using the custom key/value pair shown below:
The web.config file is then modified to contain the following:
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="frame-ancestors *.otherdomain.com www.otherdomain.com" />
</customHeaders>
</httpProtocol>
So far so good. The problem is that when I try to display the page in an iFrame I get the following error:
Refused to frame 'https://sub.domain.com' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'">
When I view the resulting response header in Chrome Dev Tools it shows two different frame-ancestors directives are present:
Questions:
1. What could be auto-generating the first director ("frame-ancestors 'self'")? IIS? Chrome>?
2. If two headers are present, would the second directive (the custom one added via IIS) be ignored.
3. What can I try in order to resolve the error?