On Apache 2.2 I'm about to set up Content-Security-Policy to allow browsers coming from one particular domain to load data into iframes from a certain virtual host.
$ httpd -S
VirtualHost configuration:
Syntax OK
$ httpd -S -v
Server version: Apache/2.2.15 (Unix)
I Believe this directive should do the trick:
Header set Content-Security-Policy "default-src 'self'; frame-ancestors *.requestorsdomain.no"
Problem: Where will I insert it in the httpd.conf? I placed it within in httpd.conf and it seems to be accepted syntactically after a restart.
httpd.conf:
<Directory "/app/httpd/html">
Header set Content-Security-Policy "default-src 'self'; frame-ancestors *.requestorsdomain.no"
</Directory>
The particular virtual server that should allow iframes is included at the end of httpd.conf and is passing on to a Jboss on the same server.
Include virtual.d/*.conf
../virtual.d/rolf.conf:
ProxyPass /rolf/ http://rolfhost:8080/rolf/
ProxyPassReverse /rolf/ http://rolfhost:8080/rolf/
Furthermore, all is behind a BlueCoat Reverse proxy, allowing Internet Incoming.
So, in summary: It does not work. Client can't still load into iframes. Probably Headers get stuck or are not served correctly. How to do it correctly? Will I need to apply CSP passing in Blue Coat as well?
Thank You, help is highly appreciated.
