I'm using frame-ancestors in our CSP to only allow embedding via iframe for certain websites. However, I would like to show some kind of message in the iframe if embedding is denied via CSP, something along the lines "Access denied, contact support". Is there a way to do that?
Related
I'm using Directus with editorjs extension and trying to embed a YouTube video, but I'm encountering a Content Security Policy error that is blocking the frame-src. The error message I'm getting is:
"Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”)."
I've tried adding the following setting in my .env file:
CONTENT_SECURITY_POLICY_DIRECTIVES__FRAME_SRC="array:'self', 'https://www.youtube.com'"
But I'm still encountering the same error.
There is likely a Content Security Policy present on your page, and adding another one can only make it stricter, not loosen any of the directives. First you'll likely need to locate the existing CSP, likely in a response header, find how it is set and modify it.
To fix the inline script violation you will need to add the hash of the inline script (some browsers will tell you the hash), add a nonce to the script, refactor it into a file or resort to adding 'unsafe-inline'. You should add your chosen source to script-src.
You should also add www.youtube.com to frame-src and/or child-src (frame-src will use a fallback to child-src in CSP level 3 and to default-src in CSP level 2.
Im getting this error and I don´t know why, the scripts that I have included works?
And the error only shows up when I load a subpage. Not when I load the startpage.
So what Im I doing wrong?
The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.
<meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline' 'unsafe-eval' https://checkout.dibspayment.eu https://www.google-analytics.com https://maps.google.com;">
Any input really appreciated, thanks.
And the error only shows up when I load a subpage. Im getting this error and I don´t know why
The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.
It's not an error, just a warning that you browser does not support the 'strict-dynamic' token. (guess you use Safari).
I guess that subpage is a some Google's iframe (oAuth2, reCaptcha, etc). That iframe publush it's own CSP wich contains the 'strict-dynamic' token and this CSP was created in browsers backward compatibility mode (Google make such).
That's a warning from third-party CSP, not your's.
the scripts that I have included works?
Your parent page has own CSP which allows scripts. The CSP of nested browsing context (iframe) does not affects parent page (except the frame-ancestors directive).
So what Im I doing wrong?
Nothing. It's an intended regular work of Content Security Policy.
Each browsing context can have its own CSP. But all warns will flow to one browser console, and that is mislead.
I wanted to set Content Security Policy (CSP) to my with page, which has a paypal button, which has gif image serves from https://www.paypalobjects.com I included it to my img-src whitelist.
<input type="image" src="https://www.paypalobjects.com/en_GB/SG/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal – The safer, easier way to pay online.">
But the image is then temporarily redirect to random domains like https://akamai.mathtag.com, https://ak1s.abmr.net
How should I set CSP such that img-src includes redirect domains as well. I do not know all the redirect domains.
Please note, Paypal states that you should only hotlink the checkout button and not save it anywhere else:
PayPal requires that you use the PayPal Check out button and the PayPal mark image hosted on secure PayPal servers.
Obtaining an Express Checkout Button and PayPal Mark
It is unclear how enforced this is.
CSP requires that you know the domains you are referencing content from, which is one of its weaknesses.
In order to get around that, there's a few things you could do:
Remove the img-src whitelist from CSP altogether. This sounds sub-optimal, but unless someone is able to directly compromise your server ( in which case they could modify the CSP header anyways ), or they are able to exploit a Cross-Site Scripting attack on your site, the img-src is not a huge concern. I would worry more about the script-src section, which, if implemented properly, would likely prevent unauthorized images from being loaded anyways.
Create a whitelist based proxy for CSP purposes. Basically, the browser requests the image from your server, and your server then retrieves the images on the backend, following through the redirects, caches the image, and returns it to the user.
As SilverlightFox said, you could also store the image directly on your servers. This could be problematic if you ever need to access other images that don't comply with such a strict CSP. Also, if the buy button image changes and you are unaware of it/haven't updated it, that could create suspicion amongst potential customers who had seen the new buy button elsewhere.
Hope that helps!
I am running a MediaWiki on a VM, accessing it through http://12.34.56.78/wiki -- I was able to edit pages.
Now I've redirected my domain http://foo.org to http://12.34.56.78/wiki
http://foo.org/wiki does indeed find my wiki, but when I attempt to edit a page I get a blank page. Inspecting the console yields:
Load denied by X-Frame-Options: does not permit cross-origin framing
What is the cause of the problem? And what is the solution?
Sounds to me like you are using "frame-redirects" from http://foo.org to http://12.34.56.78/wiki. Frame redirects are a nasty hack and often cause problems, like the one above.
You should use actual http (reverse) proxying, or a domain alias (cname) and rewrite rules. The difference is that with the proxy, the data is actually traveling through an intermediate web server (the proxy), while with the cname+rewrite, it's just two names for the same box.
Have a look at https://en.wikipedia.org/wiki/URL_redirection to understand all the different kinds of forwarding and redirection.
We've partnered with a company whose website will display our content in an IFRAME. I understand what the header is and what it does and why, what I need help with is tracking down where it's coming from!
Windows Server 2003/IIS6
Container page: https://testDomain.com/test.asp
IFRAME Content: https://ourDomain.com/index.asp?lots_of_parameters,_wheeeee
Testing in Firefox 24 with Firebug installed. (IE and Chrome do the same thing.) Also running Fiddler so I can watch network traffic while I'm at it.
For simplicity's sake, I created a page with nothing on it but the IFRAME in question - same physical server, different domain/site - and it failed with
Load denied by X-Frame-Options: https://www.google.com/ does not permit cross-origin framing.
(That's in the Firebug console.) I'm confused because:
Google is not referenced anywhere in the containing app, or in the IFRAMEd app. All javascript libraries are kept locally; there is no analytics in the app. No Google, nowhere.
The containing page has NOTHING on it, except the IFRAME. No html tags, no head tag, no body tag. IFRAME. That's it.
The X-FRAME-OPTIONS header does not exist in IIS on the server: not at the "Websites" node, not in the individual sites.
So where the h-e-double-sticks is that coming from? What am I missing?
Interesting point: if I remove http"S" from the IFRAME url, it works. Given the nature of the data, SSL is required.
You might check global.asax.cs, the app could be adding the header to every response automatically. If you just search the app for "x-frame-options" you might find something also.