I am trying to embed a website onto another website using the following code:
<iframe width="100%" height="100%" src="http://www.petarvasilev.com/"></iframe>
this fails I get the following error in the console
Refused to frame 'http://www.petarvasilev.com/' because it violates the following Content Security Policy directive: "default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
Here is a JsFiddle to try it out.
I checked the X-Frame-Options header and my site isn't sending one which leaves me oblivious as to why it doesn't work. Any help appreciated : )
The error message clearly says:
Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
So perhaps change 'src' to 'frame-src'?
And please put your code in a jsfiddle (or pastebin or whatever), and provide a link.
Related
I need to use Stripe in my application but I keep getting the error below in the browser console.
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
I've tried to fix it by setting a rule in Content-Security-Policy but I cannot make it work.
<meta http-equiv="Content-Security-Policy"
content="script-src 'self' https://js.stripe.com />
<script type="text/javascript" src="https://js.stripe.com/v3/"></script>"
I run the code in localhost and I am using Firefox Developer Edition.
How can I fix this error?
To allow a script resource at inline, your CSP needs to have 'unsafe-inline' set. But as you can understand from the name, this is unsafe and should be avoided if possible. Rather see if you can move the script code to a separate file.
Also, it seems like you are hitting a problem with a CSP and try to solve it by adding another one. Another CSP can only make it stricter, you can't allow something restricted by the original CSP. You should see if there is a CSP in a response header and modify that one instead.
The website works fine on all other browsers I've tested it on.
On the Brave browser, an error occurs for line 1 of my index.html file (Which is <!DOCTYPE html>):
Refused to load the font 'data:application/font-woff...' because it violates the following Content Security Policy directive: "default-src 'self' *.favicon.cc *.google.com *.gstatic.com *.googleapis.com". Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.
Line 6 of my index.html is this: <meta http-equiv="Content-Security-Policy" content="font-src 'self' data:; default-src 'self' data: blob: 'unsafe-inline';">.
For some reason, this error only occurs on this .co domain, but when I host the same HTML file on other TLDs (I've tested: .ml, .gq, .dev) it works with no issue, using the CSP I set in the header.
Is there any way to get Brave to use the CSP I set in the file instead of the one Brave uses?
I've tried using it as an actual HTTP header, no change.
Edit for additional context: The entire page breaks as if the CSP is set to "default-src 'self' *.favicon.cc *.google.com *.gstatic.com *.googleapis.com" and other page elements do not load properly.
It turns out it's an issue with brave's shields. Disabling them fixed it. I have reported my site to Brave's developers so they can try and fix the problem. As for my site, i've switched to a .com domain from the original .co domain, and it works fine now.
Refused to frame '' because it violates the following Content Security Policy directive: "default-src *". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
I added "wkwebview" plugin for ios. But then I get this error. I don't have an iframe in my code. an iframe is automatically created. From "gap://ready".
Error:
can you help me please
I have a web app running only on our local network. It has a section where image/photo of employee need to show. But i can't load the data and the console always log : Refused to load the image 'unsafe:data:[.image-type];base64, [base64 string]' because it violates the following Content Security Policy directive: "img-src 'self' data: "
Note: Some image/photo is loading but some trigger that error. I'm sure that all the data are safe to load. Also, when i try to edit the html (developer mode inspect element) removing the 'unsafe' word in the src="unsafe:data:...." then image/photo is loaded in the html.
Please help me guys to fix the issue. Thanks!
If you are sure that the images are safe then you can try to use
img-src 'self' data:https:; or img-src 'self' data:http:; based on your protocol.
Hope this helps
I have registered a bot and was working fine till yesterday. All of a sudden my chrome browser refused to load my webchat control of MS Botframework. When i checked the console it throws me the following policies are restricting the iframe from loading url. I tried adding meta-tags but didn't helped me.
Refused to frame 'https://webchat.botframework.com/embed/DiPA_BOT?s=xxxxxxxxxxxxxxxx' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.mydomain.com". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
Also this
botchat.js:34449 Refused to connect to 'https://directline.botframework.com/v3/directline/conversations' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.accenture.com". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
I found the issue why chrome is refused to frame/load directline call and am posting here, may it help for someone like me.
In my server iis,In Http headers section, i saw a header as Conten-Security-Policy. After disabled it, my Bot calls works fine.