Duplicate Content Security Policies for frame ancestors generated (Blazor, IIS and Chrome)
I have published a web app (sub.domain.com) to an Internet Information Services (IIS) virtual server and now wish to display it in an iFrame on www.otherdomain.com. The published web.config file on the web server does not contain a CSP directive until one is automatically added in IIS using the custom key/value pair shown below:
The web.config file is then modified to contain the following:
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="frame-ancestors *.otherdomain.com www.otherdomain.com" />
</customHeaders>
</httpProtocol>
So far so good. The problem is that when I try to display the page in an iFrame I get the following error:
Refused to frame 'https://sub.domain.com' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'">
When I view the resulting response header in Chrome Dev Tools it shows two different frame-ancestors directives are present:
Questions:
1. What could be auto-generating the first director ("frame-ancestors 'self'")? IIS? Chrome>?
2. If two headers are present, would the second directive (the custom one added via IIS) be ignored.
3. What can I try in order to resolve the error?
- The header is apparently not set at the current or parent(s) level in IIS as it doesn't show up in the image you have provided. It is likely set in code, by default configuration in a framework, a proxy, a load balancer or at a sub level in IIS. You'll just have to look at all the possible sources.
- If multiple policies are present, all policies apply and you need to pass all of them. Effectively the policy will be 'self'.
- Check all components. Most likely this is a default header inserted by a framework.
- Unable to locate package google-chrome-stable ubuntu12 on openstack
- Export all http requests on a specific page to txt/csv
- Is there an API for websites to disable ad block plus themselves?
- How to make browser request smaller range with 206 Partial Content
- Getting Chrome to accept self-signed localhost certificate
- How does Chrome's "Request Desktop Site" option work?
- Does service worker runs on background even if browser is closed?
- How to find out if the user browser is Chrome?
- Chrome Developer Console shortcut CTRL Shift J does nothing
- Google Chrome net::ERR_TOO_MANY_RETRIES
- ERR_INTERNET_DISCONNECTED when Chrome console is open
- How is Google Meet able to show CPU usage?
- Chrome inspector does not show network requests path and etc
- Extracting Sound from Google Translate
- Can I ignore the "Leave Site?" dialog when browsing headless using Puppeteer?
- SSL Localhost Privacy error
- Find out whether Chrome console is open
- How do I create formatted javascript console log messages
- How to work with a specific version of ChromeDriver while Chrome Browser gets updated automatically through Python selenium
- How to remove focus border (outline) around text/input boxes? (Chrome)
- Force open the details / summary tag for Print in Chrome
- SSRS - When navigating to a linked website or report, then navigate back, lose scroll position and parameters
- How to avoid the "Your connection is not private" screen when developing an HTTP2 site locally?
- How to install Google chrome in a docker container
- How to run google chrome headless in docker?
- Change playout delay in WebRTC stream
- Chrome dev tools crashing when debugging JS
- Chrome timeline - how can I determine the cause of a "Recalculate Style" log entry?
- How to disable Google Chrome extension autoupdate
- How to set window-size to fullscreen for headless-chrome using chrome options?