User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Steps to reproduce: We have a content security policy with a frame-src and frame-ancestors directive, but while Chrome loads the iframe successfully, Firefox doesn't. Here's our full CSP Policy (notice the settings for frame-ancestors): frame-ancestors: *.walkmetest.apps.suite-ocp-dev.cp.fyre.ibm.com 'self'; default-src 'self'; connect-src 'self' https://*.kampyle.com https://*.ibm.com https://*.bluemix.net wss://*.ibmcloud.com https://*.medallia.eu https://*.segment.io https://admin.walkmetest.apps.suite-ocp-dev.cp.fyre.ibm.com https://*.braze.com; script-src 'self' https://*.kampyle.com https://*.ibm.com https://*.bluemix.net https://*.braze.com https://*.medallia.eu https://*.lpsnmedia.net https://*.segment.com https://*.truste.com https://*.trustarc.com https://admin.walkmetest.apps.suite-ocp-dev.cp.fyre.ibm.com 'unsafe-eval' 'unsafe-inline'; img-src 'self' data: blob: https://*.kampyle.com https://*.ibm.com https://*.walkmeusercontent.com https://*.cloudfront.net; style-src 'self' 'unsafe-inline' blob: https://*.ibm.com; font-src 'self' https://fonts.gstatic.com https://*.ibm.com data: https://1.www.s81c.com https://*.medallia.eu https://*.s81c.com; frame-src 'self' https://*.trustarc.com https://*.truste.com https://admin.walkmetest.apps.suite-ocp-dev.cp.fyre.ibm.com; Actual results: I turned up debugging to show the CSPContext logs from Firefox when trying to determine whether this page should load or not and have it attached in the log If I turn off the frame-ancestors setting (and X-Frame-Options) entirely the frame loads fine, but this of course causes a security hole in our app, so I would like to prevent this. Expected results: I believe the frame should have loaded successfully with these frame-ancestors. Instead it shows the error page for about:blank with an CSP error highlighed I'm also seeing this in the logs Strict-Transport-Security: The connection to the site is untrustworthy, so the specified header was ignored. CDhiddenIframe.compress.html This error page has no error code in its security info aboutNetError.js:585:13 Strict-Transport-Security: The connection to the site is untrustworthy, so the specified header was ignored. dashboardpins
Bug 1668071 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Steps to reproduce: We have a content security policy with a frame-src and frame-ancestors directive, but while Chrome loads the iframe successfully, Firefox doesn't. Here's our full CSP Policy (notice the settings for frame-ancestors): ``` frame-ancestors: *.walkmetest.apps.suite-ocp-dev.cp.fyre.ibm.com 'self'; default-src 'self'; connect-src 'self' https://*.kampyle.com https://*.ibm.com https://*.bluemix.net wss://*.ibmcloud.com https://*.medallia.eu https://*.segment.io https://admin.walkmetest.apps.suite-ocp-dev.cp.fyre.ibm.com https://*.braze.com; script-src 'self' https://*.kampyle.com https://*.ibm.com https://*.bluemix.net https://*.braze.com https://*.medallia.eu https://*.lpsnmedia.net https://*.segment.com https://*.truste.com https://*.trustarc.com https://admin.walkmetest.apps.suite-ocp-dev.cp.fyre.ibm.com 'unsafe-eval' 'unsafe-inline'; img-src 'self' data: blob: https://*.kampyle.com https://*.ibm.com https://*.walkmeusercontent.com https://*.cloudfront.net; style-src 'self' 'unsafe-inline' blob: https://*.ibm.com; font-src 'self' https://fonts.gstatic.com https://*.ibm.com data: https://1.www.s81c.com https://*.medallia.eu https://*.s81c.com; frame-src 'self' https://*.trustarc.com https://*.truste.com https://admin.walkmetest.apps.suite-ocp-dev.cp.fyre.ibm.com; ``` Actual results: I turned up debugging to show the CSPContext logs from Firefox when trying to determine whether this page should load or not and have it attached in the log If I turn off the frame-ancestors setting (and X-Frame-Options) entirely the frame loads fine, but this of course causes a security hole in our app, so I would like to prevent this. Expected results: I believe the frame should have loaded successfully with these frame-ancestors. Instead it shows the error page for about:blank with an CSP error highlighed I'm also seeing this in the logs Strict-Transport-Security: The connection to the site is untrustworthy, so the specified header was ignored. CDhiddenIframe.compress.html This error page has no error code in its security info aboutNetError.js:585:13 Strict-Transport-Security: The connection to the site is untrustworthy, so the specified header was ignored. dashboardpins