0

I got this error when I tried to (i)frame sharepoint.com : Refused to frame 'https://xxx-my.sharepoint.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com teams.microsoftonline.cn *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com".

I've tried to put all of this CSP in the frame-ancestors but always get the same error. I wrote headers in apache2

Header always set Content-Security-Policy "default-src 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com teams.microsoftonline.cn *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com;

frame-src 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com teams.microsoftonline.cn *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com;

frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com teams.microsoftonline.cn *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com;

script-src 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com teams.microsoftonline.cn *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com"

(There is no spaces between src, it's just to make things clearer) I've also tried to pute X-Frames-Options, x-xss-protection, access-control-allow-origin, access-control-allow-headers. Nothing changes

My iframe looks like : sandbox="allow-same-origin allow-scripts allow-popups allow-forms allow-modals" src="https://xxx.sharepoint.com/xxx/xxx/_layouts/15/Doc.aspx?sourcedoc={xxx}&action=edit&AllowTyping=True&wdDownloadButton=True&wdInConfigurator=True" (I would open a file like excel or word in edit mode, with action=embedview, it works but I want action=edit) How can I fix this issue ?

iKroZz44
  • 1

1 Answers1

0

The error message means that you are trying to frame a page that has set specifically which other sites are allowed to frame it. If your hostname is not on that list, there is nothing you can do, except modifying headers by proxying the service ofc. In some cases services that restrict framing allow for configuration, so you should check if this is possible to allowlist your site to frame it.

Halvor Sakshaug
  • 2,583
  • 1
  • 6
  • 9