For some reason most of documentation on Content Security Policy doesn't say anything about ports in directives. I found that CSP treats domains with different ports as absolutely different domains. If you have directive like frame-ancestors 'self' *.your-client.com - it will not work if your client embedding your application from test.your-client.com:1507, your directive should be frame-ancestors 'self' *.your-client.com *.your-client.com:1507 then.
It is also possible to use "star notation" for port: frame-ancestors 'self' *.your-client.com:*
See also:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://content-security-policy.com/
It is also possible to use "star notation" for port: frame-ancestors 'self' *.your-client.com:*
See also:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://content-security-policy.com/
No comments:
Post a Comment