I would like to make my website embeddable only to selected domains so I've used the CSP directive frame-ancestors:
Content-Security-Policy: frame-ancestors 'self' https://example.com/;
It works well, in fact, when I try to embed a page from mysite it displays:
mysite.com has refused the connection.
How can I show a courtesy page or a custom message instead of the one above?
You can use 'report-uri' directive in your CSP header. It allows you to specify a URL where the browser will send reports when a violation of your CSP policy occurs. When a connection is refused by 'frame-ancestors', a cuystom message may be displayed.
Create custom page/message that you wish to display when connection are refused.
Host the aforementioned page and write down your fresh URL.
In CSP header of your main site, add the report-uri directive and set the URL as the value:
Content-Security-Policy: frame-ancestors 'self' https://myexample.net/; report-uri https://myerrorsite.net/custom-message.html