Content Security Policy – how to allow third-party subdomain

  • Resolved emilyalice22

    (@emilyalice22)


    1 year, 6 months ago

    Recently we are working with a third-party iframe which hasn’t been working correctly due to the Content Security Policy. Here is the error message I can see from DevTools: “Refused to frame ‘https://accounts.studentbeans.com/‘ because an ancestor violates the following Content Security Policy directive: “frame-ancestors?https://onelifeadventures.com.au?*.onelifeadventures.com.au

    The only location I can think of where to white list all subdomains for this third party is from within Wordfence. Is this correct? If so, can you tell me how to do this?

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @emilyalice22, thanks for reaching out.

    I don’t believe allowlisting the iframed domain in Wordfence would make any difference in this case as the “Refused to frame” message isn’t caused by a Wordfence block or feature.

    It looks to me like your .com.au address is allowed to embed studenbeans.com pages in the frame-ancestors CSP rule, but your .com is not. You may be able to specify which domains will be embedding their page in your account settings with studentbeans, or they may need to be contacted directly to manually allow your site to iframe their content.

    I hope that helps point you in the right direction,
    Peter.

    Thread Starter emilyalice22

    (@emilyalice22)

    Hey wfpeter?,

    Thank you so much for your extra help with this. I saw the .com.au and have requested the change on their end but wasn’t sure if this was contributing to the issue. Really appreciate your help

    Emily

    Plugin Support wfpeter

    (@wfpeter)

    No worries @emilyalice22, hopefully it should be resolved once your .com is allowed to iframe their pages.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Content Security Policy – how to allow third-party subdomain’ is closed to new replies.