I am currently trying to allow specific websites to render an iframe of my website, but the following Content Security Policy added to my root web.config file doesn't seem to be doing the trick:
<add name="Content-Security-Policy" value="frame-ancestors https://https://iframetester.com/;" />
I get the following error:
Refused to frame 'My website URL' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
What is it that I'm missing/not understanding and how do I allow only specific websites to render an iframe from my website?
I ended up finding the issue to my specific situation. The website I have has other applications code hosted upon it, which already had some HTTP Header Responses baked within it. This is why I wasn't able to change this setting.