Content-Security-Policy: frame-ancestors doesn't work
As mentioned here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors, CSP: frame-ancestors is supported from Firefox 33. However, it seems doesn't work.
I am trying to embed a 3-party site into our page using an iframe. The 3-party site did whitelist us using these headers - Content-Security-Policy: frame-ancestors 'self' https://*.ourdomain.com - X-Frame-Options: SAMEORIGIN
It works fine on Chrome, but not Firefox. I am using Firefox 79.
Is there anything wrong with our headers?
Thank you!
As mentioned here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors, CSP: frame-ancestors is supported from Firefox 33. However, it seems doesn't work.
I am trying to embed a 3-party site into our page using an iframe. The 3-party site did whitelist us using these headers
- Content-Security-Policy: frame-ancestors 'self' https://*.ourdomain.com
- X-Frame-Options: SAMEORIGIN
It works fine on Chrome, but not Firefox. I am using Firefox 79.
Is there anything wrong with our headers?
Thank you!
Wybrane rozwiązanie
There is a bug with nested iframe https://bugzilla.mozilla.org/show_bug.cgi?id=1404438
Przeczytaj tę odpowiedź w całym kontekście 👍 0Wszystkie odpowiedzi (1)
Wybrane rozwiązanie
There is a bug with nested iframe https://bugzilla.mozilla.org/show_bug.cgi?id=1404438