Menu
I would like to render an iframe with the source being Github like so:
<iframe src="https://gist.github.com/user45445/9bf8d568e3350146ba302d7d67ad576f"> </iframe> This is the error I get in the console: Refused to display 'https://gist.github.com/fresh5447/9bf8d568e3350146ba302d7d67ad576f' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
I was researching how to specify my Content Security Policy in my Node server, to specify that it should accept any iframes from github
So I installed csp-helmet and added this to my server code:
var csp = require('helmet-csp') app.use(csp({ // Specify directives as normal. directives: { frameAncestors: ['*.github.com'], //I thought these two did the same, so I tried them both. childSrc: ['*.github.com'] }, // Set to true if you only want browsers to report errors, not block them. // You may also set this to a function(req, res) in order to decide dynamically // whether to use reportOnly mode, e.g., to allow for a dynamic kill switch. reportOnly: false, // Set to true if you want to blindly set all headers: Content-Security-Policy, // X-WebKit-CSP, and X-Content-Security-Policy. setAllHeaders: false, // Set to true if you want to disable CSP on Android where it can be buggy. disableAndroid: false, // Set to false if you want to completely disable any user-agent sniffing. // This may make the headers less compatible but it will be much faster. // This defaults to `true`. browserSniff: true })) But still the same error..
I have been trying to look at the official docs and the HTML5 rocks guide
Not sure if I am super close or taking the completely wrong approach.
I have also tried to set the CSP via meta tag.
<meta http-equiv="Content-Security-Policy" content="child-src https://gist.github.com; frame-ancestors https://gist.github.com;"> Content Security Policies delivered via a <meta> element may not contain the frame-ancestors directive. 
387
If parent page issue frame-ancestors * policy, it means you allow to embed it into iframe to any another webpage. X-Frame-Options HTTP header provide the same functionality, but it's overridden if frame-ancestor is issueed. frame-ancestor directive does not affects <iframe> embed into page who published this CSP.
The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents that may embed a page using <frame> , <iframe> , <object> , <embed> , or <applet> . Setting this directive to 'none' is similar to X-Frame-Options : deny (which is also supported in older browsers).
CSP frame-ancestors. The frame-ancestors directive allows you to specify which parent URLs can frame the current resource. Using the frame-ancestors CSP directive we can block or allow a page from being placed within a frame or iframe.
As oreoshake points out, the problem here is not your CSP, but the CSP on GitHub. It is GitHub that is preventing you from framing them so there is nothing you can do with your CSP to resolve this.
134
The frame-ancestors value acts on the source of the iframe not the document framing it. Setting CSP on your page will have no effect on the framing. Think of frame-ancestors like X-Frame-Options on steroids: it restricts what is allowed to frame the content. Gist intentionally does not allow directly framing gists but instead provides a way to embed a Gist.
frame-ancestors 'none' == X-Frame-Options: DENY
32
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
