TechQA.

CSP frame-ancestors wildcard usage failing

79 views Asked by At

I've got a need to whitelist my website from being iframed just for one particular domain. The url accessing the wildcard will be something like https://app.domain.com/project/123/456

The https://app.domain.com/project/123 section always stays constant but the end will change.

I tried to implement the below frame-ancestor directive but it fails with an error in the browser.

frame-ancestors 'self' https://app.domain.com/project/123/*;

The error I get is

Refused to frame 'https://yourdomain.cloud/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' https://app.domain.com/project/123/*".

Does the wildcard work only on subdomain, port level?

html http-headers content-security-policy x-frame-options
Original Q&A
1

There are 1 answers

0
David Trevor On

The wildcard must be leading. Please check this link: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

Internet hosts by name or IP address, as well as an optional URL scheme and/or port number, separated by spaces. The site's address may include an optional leading wildcard (the asterisk character, ''), and you may use a wildcard (again, '') as the port number, indicating that all legal ports are valid for the source. Single quotes surrounding the host are not allowed

Related Questions in HTML

Related Questions in HTTP-HEADERS

Related Questions in CONTENT-SECURITY-POLICY

Related Questions in X-FRAME-OPTIONS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions