Search code examples
iiscontent-security-policy

CSP: frame-ancestor failing

I have a strange problem with an IIS hosted website. The site has two bindings. Lets call them https://abc.xxx.com and https://def.yyy.com.

I have set the following for CSP

Content-Security-Policy: frame-ancestors 'self' https://*.xxx.com

There is a page on that website that has an iframe with src="https://abc.xxx.com/somepath". When I access the page from the first URL binding the iframe loads fine. If I access it with the second I get:

Refused to frame 'https://abc.xxx.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' https://*.xxx.com

Now for the even weirder part. If I change my CSP to include the second binding like below, the iframe loads.

Content-Security-Policy: frame-ancestors 'self' https://*.xxx.com https://*.yyy.com

I can't explain why this is the case. The iframe src is clearly using the first binding. Why would it require the second one in order to work? There is no redirect going on from one binding to another. I tried removing the wildcards and putting the whole binding but there was no change.

Any input is appreciated!

Solution

  • There is nothing weird, have a look at the scheme below. I have just removed subdomains and https:// scheme, they both don't matter in this case:

     xxx.com in address bar
 frame-ancestors 'self' xxx.com
.---<iframe src= xxx.com/path ---.
| frame-ancestors 'self' xxx.com |
|                                |
'--------------------------------'

    Iframe is loaded because xxx.com in the address bar falls under frame-ancestors 'self' xxx.com (under both of sources: 'self' and xxx.com).

     yyy.com in address bar
 frame-ancestors 'self' xxx.com
.---<iframe src= xxx.com/path ---.
| frame-ancestors 'self' xxx.com |
|                                |
'--------------------------------'

    Iframe is not loaded because yyy.com in the address bar does not fall under either 'self' or xxx.com.

    Just a violation message:

    Refused to frame 'https://abc.xxx.com/' because an ancestor violates
the following Content Security Policy directive: "frame-ancestors 'self' https://*.xxx.com

    is a little bit misleading and should be treated as:

    Refused to frame 'https://abc.xxx.com/' because an ancestor HTTPS://YYY.com violates
the following Content Security Policy directive: "frame-ancestors 'self' https://*.xxx.com