问题
I am developing a salesforce app which is rendered inside an iframe in salesforce page. Using node express server to render this page. As part of security review, i want to render only in salesforce page and block if embedded anywhere else.
For that, i have added content-security-policy header as below:
response.header("Content-Security-Policy", "frame-ancestors salesforce.com");
But it is blocked on salesforce page too.
Error :
Refused to display 'https://localhost:8000/authenticate' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors salesforce.com".*
salesforce app url where my iframe is rendering : https://ap4.salesforce.com/0016F00001vmoMu
I tried giving domain as *.salesforce.com in directives. But it didn't work either.
Can someone help me where i am doing wrong?
回答1:
Setting this policy enabled it to render in all browsers
add_header Content-Security-Policy "frame-src 'self' https://salesforce.com;"
来源:https://stackoverflow.com/questions/42781949/refused-to-display-in-a-frame-because-an-ancestor-violates-the-following-content