5

I'm working for a company as external researcher. They gave me a vpn, rsa token and credentials to access to their online portal which contains web pages on their projects. I'm building a Flask app and I'd like to embed their pages in a frame but the CSP deny this operation. At the moment this tool is running locally and I'll never put it on their production or test server. In the frame, a message appears instead of the page content, saying:

Blocked by Content Security Policy: this page has a content security police that prevents it from being loaded in this way. Firefox prevented this page from loading in this way because the page has a content security policy that disallow it.

while the console message says:

Content Security Policy: Ignoring 'x-frame-options' because of 'frame-ancestors' directive

I'm not confident with CSP, I just read a cuple of pages on the topic. As I can access to their pages by browser (like all the future users of the tool), are there any solution to embed these pages in a frame?

F. Petrulio
  • 95
  • 2
  • 9
  • What frame headers do you have currently? – Chillin' Sep 25 '19 at 12:21
  • Just basic ones – F. Petrulio Sep 25 '19 at 12:30
  • Do you have Frame-src: self ? – Chillin' Sep 25 '19 at 12:37
  • No, as I said I've nevers seen anything about csp since 2 hours ago. – F. Petrulio Sep 25 '19 at 12:45
  • in your CSP, add another one called `frame-src: self` and see if that helps – Chillin' Sep 25 '19 at 12:51
  • Another one within your CSP, I mean – Chillin' Sep 25 '19 at 12:51
  • I've no access to CSP. I was trying other solutions instead of calling company's technical team. – F. Petrulio Sep 25 '19 at 12:56
  • 3
    There’s no way to avoid it. If their documents are served with a Content-Security-Policy header with a frame-ancestors directive prohibiting their documents from being embedded in frames from other origins, then there’s no way you can override that. The only way you could change that behavior is by asking them to change the value of their Content-Security-Policy header to allow documents served from your origin to embed their documents in frames. (Also note: no CORS changes either you make at your origin or that they make at their origin will have any affect. This has nothing to do with CORS.) – sideshowbarker Sep 25 '19 at 13:17
  • @sideshowbarker it was my fear. However, thank you. – F. Petrulio Sep 25 '19 at 13:46

2 Answers2

-1

CSP is enforced by your own browser. There are browser plugins that disable CSP for your browser. For example:

https://chrome.google.com/webstore/detail/disable-content-security/ieelmcmcagommplceebfedjlakkhpden

...although in your case, even if you turn off CSP, you may then just run afoul of the x-frame-options header

Stephen R
  • 3,512
  • 1
  • 28
  • 45
  • For x-frame-options header, you might want to check out this question: https://stackoverflow.com/questions/2783095/how-can-i-bypass-the-x-frame-options-sameorigin-http-header – Stephen R Oct 02 '19 at 17:34
-1

You need to ask them to allow your project URL/IP using frame-src, for example:

<meta http-equiv="Content-Security-Policy" content="frame-src 'self' *.YourProjectURL.com;">
Adel Tube
  • 44
  • 6