0

I'm trying to frame content from a 3rd-party provider in an iframe on my Wordpress site. I'm emulating something that's set up on an affiliated site. When loading and attempting to download the iframe content, an error is logged: ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".

Looking at the headers on the site I'm trying to emulate, I see a Content Security Policy header that includes something like frame-ancestors https://www.wkgiframe.com, which is the home page of that site. That same header from the download response on the site I'm working on has a frame-ancestors 'none' in it.

What determines the value of frame-ancestors in the response header and is there something I can put in the request to alter the Content Security Policy in the response? www.wkgiframe.com does not have the header web rules set up on the server level which is not what I would expect, since this is where cross-site security is handled--or is it?

1
  • 1
    This header is determined by the server from which you load that page. In your case that is the third-party provider. Which rules the server applies is up to them.
    – Heiko Theißen
    Commented Apr 26 at 8:00
Related questions
366
How does Content Security Policy (CSP) work?
0
Content Security Policy Error when rendering iframe from specified website
0
Need help understanding a CSP Report and set the right frame-ancestor url
Load 6 more related questions Show fewer related questions

0

Reset to default