问题
I have an application siteA.com that is loaded in an iframe inside siteB.com. No warning loading directly siteA.com but getting Unrecognized Content-Security-Policy directive 'frame-ancestors' when is inside an iframe in siteB.com; this only in Safari.
All these changes were made in siteA.com
Meta Tag with no luck
<meta http-equiv="Content-Security-Policy" content="frame-ancestors siteB.com">
What headers should I add to siteA.com to allow Content-Security-Policy directive frame-ancestors?
Then I tried in the main index.php adding in the head:
header("Content-Security-Policy: frame-ancestors 'self' siteB.com;");
but still is working in siteA but not siteB.
Also added to * .htaccess *
Header set Content-Security-Policy "frame-ancestors: siteB.com"
but nothing. Since the problem is rising in Safari, tried also with
header("X-Frame-Options: ALLOW-FROM siteB.com");
but this even gives an error.
The nice part is that it doesn't load at all in any of the other tested browsers if the frame-ancestors url is not the correct one.
What am I doing wrong?
回答1:
Unrecognized Content-Security-Policy directive 'frame-ancestors'
This is a browser-level error, you can't fix this. Are you using Safari 9 or older? Safari only supports frame-ancestors starting in Safari 10. The error also simply means the browser is ignoring what is, to it, an invalid directive it has no idea what to do with. It shouldn't negatively impact your site beyond what would normally occur if that directive weren't there. Not all console errors need to be acted on.
When using stuff like Content Security Policy, some older browsers are simply not going to support all features. You should still implement them due to the concept of progressive enhancement.
Note that Safari is frankly basically the new IE in terms of lagging behind support for standards, especially older versions. Don't expect bleeding edge support, but don't feel afraid to implement new features because of it. Unlike IE safari does catch up, and these missing features don't entirely break websites like they used to. It's not just Safari either, Firefox gets things before Chrome sometimes etc.
来源:https://stackoverflow.com/questions/47947466/safari-unrecognized-content-security-policy-directive-frame-ancestors