All geek questions in one place

Attempting to render i-frame: ancestor violates the following content security policy directive: "frame-ancestors" none "

I would like to display an iframe with a Github source as follows:

<iframe src="https://gist.github.com/user45445/9bf8d568e3350146ba302d7d67ad576f"> </iframe>

This is the error I get in the console: Refused to display 'https://gist.github.com/fresh5447/9bf8d568e3350146ba302d7d67ad576f' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".

I studied how to specify mine Content Security Policyon my server Nodeto indicate that it should accept any iframes fromgithub

So, I installed csp-helmet and added this to my server code:

var csp = require('helmet-csp')

app.use(csp({
  // Specify directives as normal.
  directives: {
    frameAncestors: ['*.github.com'],  //I thought these two did the same, so I tried them both.
    childSrc: ['*.github.com']
  },

  // Set to true if you only want browsers to report errors, not block them.
  // You may also set this to a function(req, res) in order to decide dynamically
  // whether to use reportOnly mode, e.g., to allow for a dynamic kill switch.
  reportOnly: false,

  // Set to true if you want to blindly set all headers: Content-Security-Policy,
  // X-WebKit-CSP, and X-Content-Security-Policy.
  setAllHeaders: false,

  // Set to true if you want to disable CSP on Android where it can be buggy.
  disableAndroid: false,

  // Set to false if you want to completely disable any user-agent sniffing.
  // This may make the headers less compatible but it will be much faster.
  // This defaults to `true`.
  browserSniff: true
}))

But still the same mistake.

I'm trying to see white papers and HTML5 rocks

Not sure if I'm too close or completely wrong.

Update

I also tried installing CSP using a tag meta.

  <meta http-equiv="Content-Security-Policy" content="child-src https://gist.github.com; frame-ancestors https://gist.github.com;">

than i got this error:

Content Security Policies delivered via a <meta> element may not contain the frame-ancestors directive.

Thanks in advance.

+4
2

frame-ancestors iframe, , . CSP . frame-ancestors X-Frame-Options : , . Gist , Gist.

frame-ancestors 'none' == X-Frame-Options: DENY

enter image description here

+5

, CSP, CSP GitHub. GitHub , CSP, .

+5

Source: https://habr.com/ru/post/1648832/

More articles:


All Articles