Trying to render iframe: ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'"

node.js iframe heroku content-security-policy
fresh5447 picture fresh5447 · Jul 22, 2016 · Viewed 35.4k times · Source

I would like to render an iframe with the source being Github like so:

<iframe src="https://gist.github.com/user45445/9bf8d568e3350146ba302d7d67ad576f"> </iframe>

This is the error I get in the console: Refused to display 'https://gist.github.com/fresh5447/9bf8d568e3350146ba302d7d67ad576f' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".

I was researching how to specify my Content Security Policy in my Node server, to specify that it should accept any iframes from github

So I installed csp-helmet and added this to my server code:

var csp = require('helmet-csp')

app.use(csp({
  // Specify directives as normal.
  directives: {
    frameAncestors: ['*.github.com'],  //I thought these two did the same, so I tried them both.
    childSrc: ['*.github.com']
  },

  // Set to true if you only want browsers to report errors, not block them.
  // You may also set this to a function(req, res) in order to decide dynamically
  // whether to use reportOnly mode, e.g., to allow for a dynamic kill switch.
  reportOnly: false,

  // Set to true if you want to blindly set all headers: Content-Security-Policy,
  // X-WebKit-CSP, and X-Content-Security-Policy.
  setAllHeaders: false,

  // Set to true if you want to disable CSP on Android where it can be buggy.
  disableAndroid: false,

  // Set to false if you want to completely disable any user-agent sniffing.
  // This may make the headers less compatible but it will be much faster.
  // This defaults to `true`.
  browserSniff: true
}))

But still the same error..

I have been trying to look at the official docs and the HTML5 rocks guide

Not sure if I am super close or taking the completely wrong approach.

Update

I have also tried to set the CSP via meta tag.

  <meta http-equiv="Content-Security-Policy" content="child-src https://gist.github.com; frame-ancestors https://gist.github.com;">

than I received this error:

Content Security Policies delivered via a <meta> element may not contain the frame-ancestors directive.

Answer

Scott Helme picture Scott Helme · Aug 3, 2016

As oreoshake points out, the problem here is not your CSP, but the CSP on GitHub. It is GitHub that is preventing you from framing them so there is nothing you can do with your CSP to resolve this.

Related questions

How to select elements within an iframe element in Puppeteer

Since ESPN does not provide an API, I am trying to use Puppeteer to scrape data about my fantasy football league. However, I am having a hard time trying to login using puppeteer due to the login form being nested …

Read More
How do I update Node.js?

I did the following to update my npm: npm update npm -g But I have no idea how to update Node.js. Any suggestions? (I'm using Node.js 0.4.1 and want to update to Node.js 0.6.1.)

Read More
How do I completely uninstall Node.js, and reinstall from beginning (Mac OS X)

My version of node is always v0.6.1-pre even after I install brew node and NVM install v0.6.19. My node version is: node -v v0.6.1-pre NVM says this (after I install a version of node for the first time …

Read More