How to create a Content Security Policy to allow a website to work inside an iframe

Question

I need a third party website to operate inside an iframe in my website. The third party website works perfectly in the iframe in FireFox. In Chrome, for some reason, users are only allowed to login, thereafter any link they click on takes them back to the login page (which is the default page for the iframe).

So I looked for a solution and it seems I need to create a Content Security Policy. I've never worked with Content Security Policies before, so I'm not sure how to go about it.

I came across a post with a meta tag example of which I tried several variations of, but no matter how I try it, in Chrome, the page wouldn't even load in the iframe.

<html>
<head>
<title>Student Portal</title>
<link rel="shortcut icon" href="favicon.ico">
<meta http-equiv="Content-Security-Policy" content="default-src 'self' https://<third party site>; img-src https://*; child-src 'self' https://<third party site>; script-src 'self' https://<third party site>; style-src 'self' https://<third party site>;" />
</head>
<body>
<!-- rest of my code -->
</body>
</html>

I've also tried the <embed> element instead, but get same results.

Is there another way of creating a Content Security Policy, or perhaps a whole other solution?

Any assistance will be appreciated

score 1 · Answer 1 · answered Jul 19 '21 at 17:01

1

Try adding sandbox attribute for iframe

<iframe sandbox></iframe>

answered Jul 19 '21 at 17:01

Pranavan

1,287
1
6
18

I added the sandbox attribute and everything is still working in FireFox, but now I can't even login in Chrome. The sandbox attribute is basically making the third party page non-responsive. Any other suggestions? – user3270093 Jul 19 '21 at 17:18

Shai Alon · Accepted Answer · 2021-08-09T10:48:27.440

-4

`Content-Security-Policy` will not solve your issue

Content-Security-Policy (CSP) can only restrict what happens in a web page and block behavior that is open by default.

Most probably problems - SameSite or Sec-fetch headers

The most probable causes for the problem that you described of the site allowing the framing, but blocking the login:

Option 1: SameSite Cookies Default

If the site is not setting the login cookie with the SameSite parameter explicitly - that could be the issue. Firefox defaults cookies to the less secure SameSite=None. Chrome defaults cookies to the more secure SameSite=Lax (kind of).

The Lax cookie could end up being discarded from the framed request (as it could be a form of Clickjacking / CSRF)

Option 2: Site has a server side handler for Fetch metadata request headers

The site may be blocking on the server-side based on context. These features are only supported in the recently released Firefox 90, but have been in Chrome for a while. If you are using Firefox 90 and you see the Sec-Fetch headers in the requests to that site, and the flow works fine, then this is not the issue. If it broke in FF when you upgrade to V90 - similar to Chrome: Your issue is a handler to one of these:

Sec-Fetch-Site
Sec-Fetch-Mode
Sec-Fetch-User
Sec-Fetch-Dest

Option 3: Something else?

Share more info on the case / site and I'll suggest more options.

Related: CSP Usage Example

By default you can frame any other site in your site. It is the open nature of the web. However you can block iframes from your site with CSP:

Content-Security-Policy:frame-src 'none';

Likewise, a site can refuse to get framed with CSP by setting the (better) equivalent of X-frame-options:deny:

Content-Security-Policy:frame-ancestors 'none';

P.S. don't use CSP meta tags

Serving the CSP through an html meta header is considered legacy and has some drawbacks with multiple browser edge-cases. Setting the CSP via the HTTP headers of the request only.

More info on <meta> bugs

edited Aug 09 '21 at 10:48

answered Jul 19 '21 at 21:56

Shai Alon

18
6

Thank you for this. I came across this post: https://stackoverflow.com/questions/58191969/how-to-fix-set-samesite-cookie-to-none-warning which I sent to the developers of the third party website. Hopefully this will solve the issue. Will give an update as soon as I receive a response from them. – user3270093 Jul 20 '21 at 07:20
Sure, happy to help. After more consideration, I would suggest it's indeed more likely to be Option 1 (`SameSite` default). Was this site meant to be framed? If so, I wonder how they did not encounter this problem sooner. – Shai Alon Jul 20 '21 at 17:30
The developers of the third party site replied; they're against the iframe plan. So the obvious answer to your last question is no. The third party site is where students (of my client, whose website I'm in charge of) login to find their results. But when results are being uploaded, students are not allowed to access that site. Because third party site don't have an option to disable student logins, I attempted to hide the third party sites URL by means of an iframe and creative javascripting. They agreed your Option 1 would've solved the problem, but unfortunately they won't implement it – user3270093 Jul 21 '21 at 19:38
3

Please disclose your relationship to RapidSec every time you mention it. And please don't _just_ answer questions where you can promote your product. This is [spam](https://stackoverflow.com/help/promotion). – ChrisGPT was on strike Aug 05 '21 at 12:28
@Chris fair enough - will disclose relationship. Specifically - the only reference in this post to RapidSec is links to explainers about Clickjacking / CSRF. I did not promote any commercial offering in any way, and really went out of my way to solve a complex issue that required expert knowledge (implementation differences between Chrome / Firefox). I would appreciate if you can could make sure that the user granty also disclose his affiliation to csplite.com, in the hundreds of answers that he links it. From what I see - he is not expected to maintain this same standard in his answers. – Shai Alon Aug 08 '21 at 10:06
1

@ShaiAlon, virtually all of your posts link to your own product. As the "don't be a spammer" link I provided says, "you _must_ disclose your affiliation in your answers". – ChrisGPT was on strike Aug 08 '21 at 11:34
1

As to your comment about another user breaking the rules, _all_ users are expected to maintain the same standard of quality. There are over 15 million registered users, and if somebody else is doing the same thing they may just not have been caught yet. Don't use others' bad behaviour as an excuse for your own. (And I have no idea who "the user granty" is. User names are not unique here.) – ChrisGPT was on strike Aug 08 '21 at 11:38
2

You have no way of knowing who downvoted your answers. Even [elected diamond moderators can't see who cast up or downvotes](https://meta.stackoverflow.com/a/275053/354577). And there are [automated systems in place to detect and correct vote fraud](https://meta.stackexchange.com/a/126857/248627). Don't assume somebody is out to get you. It's quite hard to do that kind of thing here. – ChrisGPT was on strike Aug 09 '21 at 22:30
OK @Chris, I Hope it does turn out well - I really am trying to create value. I changed the RapidSec linking to OWASP on [this specific answer](https://stackoverflow.com/questions/68444046/how-to-create-a-content-security-policy-to-allow-a-website-to-work-inside-an-ifr/68447430#68447430), but my score still remains a negative 3, although it was chosen as the correct answer by the person who asked. – Shai Alon Aug 11 '21 at 23:42
Yeah, well, sometimes posts get downvotes. There's not much you can do about it other than write the best content you can. At least this post is still +9 ([15 points for the checkmark, minus two points for each downvote](https://stackoverflow.com/help/whats-reputation)). – ChrisGPT was on strike Aug 12 '21 at 00:33