0

I currently just use an AWS S3 Bucket to be able to show some of my HTML canvas animations, and never had issues until I created an iFrame for an ad platform that versions using a feed called Celtra.

I tried ?embed=true and target="_blank" mentioned in another question where the policy was SAMEDOMAIN, and not surprisingly neither worked.

Do I need to use a Create Object Lambda Access Point? According to Mozilla, DENY & SAMEORIGIN are the only option.

ALLOW-FROM uri This is an obsolete directive that no longer works in modern browsers. Don't use it. In supporting legacy browsers, a page can be displayed in a frame only on the specified origin uri. Note that in the legacy Firefox implementation this still suffered from the same problem as SAMEORIGIN did — it doesn't check the frame ancestors to see if they are in the same origin. The Content-Security-Policy HTTP header has a frame-ancestors directive which you can use instead.

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Susan Forman
  • 19
  • 1
  • 9

1 Answers1

1

  1. Yes, you have to use Lambda@Edge func to add custom HTTP response headers to AWS S3 bucket.
    But judging by this topic, this one, and this doc, AWS does not add X-Frame-Options header on its own. Therefore your HTML canvas animations should not be blocked in the iframe.

  2. If you wish to allow iframing at miltiple locations, the X-Frame-Options is not flexible enough. Use Conrent-Security-Policy (CSP) HTTP header with the frame-ancestors directive.

    Conrent-Security-Policy: frame-ancestors *;

    will allow iframing at any locations, while

    Conrent-Security-Policy: frame-ancestors example.com friends.com;

    allows to embed page have published this header only in example.com and friends.com sites only.

UPDATE

The HTTP header with white list of domains allowed to embed iframe:

`Conrent-Security-Policy: frame-ancestors example.com friends.com allowed_site.net`

must be published by your s3.console.aws.amazon.com/s3/buckets/advancedbanners page. This page should grant the permissions to embed itself.

I am not shure you can to publish CSP header on AWS S3 without Lambda@Edge func. You have to use exactly HTTP header, since frame-ancestors is not supported in the <meta http-equiv="Conrent-Security-Policy" content=" directives_here "> meta tag.

And you have to find a way to stop publishing the X-Frame-Options(XFO) header on AWS S3 because of Safari bug - XFO does not obsolete in favor CSP.

granty
  • 7,234
  • 1
  • 14
  • 21
  • Thanks granty! 1. The content in the iFrame is definitely being blocked. "Refused to display 'https://s3.console.aws.amazon.com/' in a frame because it set 'X-Frame-Options' to 'deny'. preview.0f7cfd35.min.js:1" 2. If I pursue "Content-Security-Policy: frame-ancestors https://s3.console.aws.amazon.com/s3/buckets/advancedbanners" is this the proper format for just my S3 bucket? And do I still need to use Lambda@Edge func? – Susan Forman Apr 05 '21 at 12:41
  • Pls see UPDATED answer, because a lot of info. – granty Apr 06 '21 at 06:38