Question

108

Refused to display in a frame because an ancestor violates the following Content Security Policy directive

rated 0 times [ 111] [ 3] / answers: 1 / hits: 30690 / 7 Years ago, tue, march 14, 2017, 12:00:00

I am developing a salesforce app which is rendered inside an iframe in salesforce page. Using node express server to render this page. As part of security review, i want to render only in salesforce page and block if embedded anywhere else.

For that, i have added content-security-policy header as below:

response.header(Content-Security-Policy, frame-ancestors salesforce.com);

But it is blocked on salesforce page too.

Error :

Refused to display 'https://localhost:8000/authenticate' in a frame because an ancestor violates the following Content Security Policy directive: frame-ancestors salesforce.com.*

salesforce app url where my iframe is rendering : https://ap4.salesforce.com/0016F00001vmoMu

I tried giving domain as *.salesforce.com in directives. But it didn't work either.

Can someone help me where i am doing wrong?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

karleel

Add To Favorites

Follow

Total Points: 309

Total Questions: 79

Total Answers: 86

Location: Monaco

Member since Sun, Jan 16, 2022

2 Years ago

answered 7 Years ago tomas · Accepted Answer

Setting this policy enabled it to render in all browsers

 add_header Content-Security-Policy frame-src 'self' https://salesforce.com;