I am developing a salesforce app which is rendered inside an iframe in salesforce page. Using node express server to render this page. As part of security review, i want to render only in salesforce page and block if embedded anywhere else.
For that, i have added content-security-policy header as below:
response.header(Content-Security-Policy, frame-ancestors salesforce.com);
But it is blocked on salesforce page too.
Error :
Refused to display 'https://localhost:8000/authenticate' in a frame because an ancestor violates the following Content Security Policy directive: frame-ancestors salesforce.com.*
salesforce app url where my iframe is rendering : https://ap4.salesforce.com/0016F00001vmoMu
I tried giving domain as *.salesforce.com
in directives. But it didn't work either.
Can someone help me where i am doing wrong?