I am creating a iFrame widget using .NET 9 Blazor. However, displaying it in an iFrame fails with the following error:
Refused to frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors"
In Chrome Dev Tools I can see that a frame-ancestors 'self' directive has been automatically added, presumably by the .NET 9 framework (see What's New in ASP.NET Core 9).
How do I either remove this and replace it with a less restrictive directive (e.g., frame-ancestors *.mydomain.com) OR prevent it from being added in the first place?
I figured it out. The value of the policy can be set in middleware within Program.cs. E.g.
app.MapRazorComponents<App>()
.AddInteractiveServerRenderMode(o => o.ContentSecurityFrameAncestorsPolicy = "'self' *.mydomain.com");