Content-Security-Policy Headers are there and showing the correct settings, but still getting a refused connection
https://wordpress.stackexchange.com/questions/385176
-
26-04-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian题
So I'm putting a plugin together that will allow me to connect multiple client sites with an online service.
I can get the service vendors snippet to load, but once you interact with it, that's where things get tricky and it refuses to load an (I guess) iframe... ...it's pretty poorly documented.
Refused to load https://www.service-domain.com/ because it does not appear in the frame-ancestors directive of the Content Security Policy.
That's the console log error I was receiving.
So I jumped back into my plugin and added the following:
function bbti_send_headers() {
header( "Content-Security-Policy: frame-ancestors https://www.service-domain.com/; frame-src https://www.service-domain.com/;" );
}
add_action( 'send_headers', 'bbti_send_headers' );
Now, when I reload the page I'm still getting the same error Refused to load https://www.service-domain.com/... etc...
However, if I look at the network panel and check the page's headers this is what I get:
HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Security-Policy: frame-ancestors https://www.service-domain.com/; frame-src https://www.service-domain.com/;
So the header is there but still getting the same error from the script.
Anyone know what it is I missed?
解决方案
After tons of digging it appears that the way the error message is worded was a bit misleading.
Refused to load https://www.service-domain.com/ because it does not appear in the frame-ancestors directive of the Content Security Policy.
What isn't clarified above is that it wasn't the server/site I was working on that Refused to load from the vendor's domain, but rather that it was the vendor's property that Refused to load itself into the domain I was working on.
The header snippet above does work in case anyone ever needs it, but if you see that specific error message be aware that it's the other domain, not yours' that is restricted.
As an aside, the issue stems from the fact that the work is being done on a development/staging domain, but when the account/profile was set up with the vendor the current Live/Production domain was used - so the domain I'm calling from isn't listed as being authenticated and is thus being blocked.
Hope this helps someone that comes across a similar issue.
