12

I have found many solutions to various situations with "refused to xyz" due to Content-Security-Policy Settings.

However I can't seem to find what might be wrong if '' gets refused.

The literal error message in the browser is

Refused to frame '' because it violates the following Content Security Policy directive: "frame-src *".

It only happens in Chrome. Loading the page in Firefox or Internet Explorer works just fine.

I set the following CSP(this is really one line. I put new lines in for readability):

default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data:;
frame-src 'self' *;
object-src 'none';
font-src 'self' data:;

Now it was my understanding that * means "everything". What is it that Chrome is showing me no love for?

Sidenote: We have evaluated getting rid of 'unsafe-inline' and 'unsafe-eval' but we cannot at the moment. If this might be causing my problem please point out how. Otherwise I am aware that it's a security implication and we're workin on getting rid of it. For now it's here to stay.

Setting: The webserver is an Apache:

# rpm -q httpd
httpd-2.4.6-80.el7.centos.1.x86_64

edit1 The error occurs when trying to open the client's mail program from within the website. The user clicks on a link and the mail program is supposed to open.

This might be why Chrome displays an empty string ('') as the blocked content.

Worp
  • 287
  • 1
  • 4
  • 15
  • Our frontend department has found a workaround but I am not sure what the workaround was. If someone can shine some light on the issue though I'd be more than happy to accept as an answer. – Worp Dec 27 '18 at 19:56

1 Answers1

8

Had exactly that problem today. I solved it by using

frame-src data:

Btw. '*' is only a wildcard for urls. data: 'unsafe-inline' and 'unsafe-eval' have to be added individually.

MrKaschka
  • 81
  • 1
  • 2
  • I am getting a similar error: Refused to frame 'https://embed.windy.com/' because it violates the following Content Security Policy directive: "frame-src 'self' http://mesowest.utah.edu". I am not sure the fix I need to put in my .htaccess file – Codejoy Dec 04 '19 at 23:58
  • I wasn't able to test this, but if people are testing it, pls give feedback. If it helps you I'll gladly mark it as the answer. – Worp Mar 30 '21 at 07:30