google-chromeiisiframeblazorcontent-security-policy

Duplicate Content Security Policies for frame ancestors generated (Blazor, IIS and Chrome)


I have published a web app (sub.domain.com) to an Internet Information Services (IIS) virtual server and now wish to display it in an iFrame on www.otherdomain.com. The published web.config file on the web server does not contain a CSP directive until one is automatically added in IIS using the custom key/value pair shown below:

HTTP Response Header used in IIS

The web.config file is then modified to contain the following:

<httpProtocol>
     <customHeaders>
          <add name="Content-Security-Policy" value="frame-ancestors *.otherdomain.com www.otherdomain.com" />
     </customHeaders>
</httpProtocol>

So far so good. The problem is that when I try to display the page in an iFrame I get the following error:

Refused to frame 'https://sub.domain.com' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'">

When I view the resulting response header in Chrome Dev Tools it shows two different frame-ancestors directives are present: 2 directives shown in Chrome Dev Tools

Questions:

1. What could be auto-generating the first director ("frame-ancestors 'self'")? IIS? Chrome>?

2. If two headers are present, would the second directive (the custom one added via IIS) be ignored.

3. What can I try in order to resolve the error?


Solution

    1. The header is apparently not set at the current or parent(s) level in IIS as it doesn't show up in the image you have provided. It is likely set in code, by default configuration in a framework, a proxy, a load balancer or at a sub level in IIS. You'll just have to look at all the possible sources.
    2. If multiple policies are present, all policies apply and you need to pass all of them. Effectively the policy will be 'self'.
    3. Check all components. Most likely this is a default header inserted by a framework.