Hello, the problem is this. I create a frame

<iframe src="http://prolegkie-info.eversmi.com/" width="100%" height="100%"></iframe>

In the console, he writes this error.

Refused to display 'a copy of the script violates the following Security Policy directive: "frame-ancestors http://webvisor.com ".

What could be the problem? If in the iframe to substitute another src works great.

    3 answers 3

    This site (which is in the src parameter) prohibits people from displaying their pages in frames whose pages are not on http://webvisor.com . The browser directly writes that the ban is caused by the settings of the Content Security Policy, namely the frame-ancestors option.

    Chip refers to Content Security Policy Level 2 .

    Previously, there was a similar mechanism in the form of X-Frame-Options , but its variation with the "white list of domains" ( ALLOW ) did not widely spread. But DENY and SAMEORIGIN supported much more often. Now it is used more for compatibility reasons.

    And the replacement CSP L2, which has come to replace it, clearly requires to ignore the X-Frame-Options , if the CSP is set with frame-ancestors . So X-Frame-Options nothing to do with it. In your browser. An older browser might not understand the CSP header, but pay attention to the complete prohibition of any * embedding via X-Frame-Options . As a result, however, the behavior is somewhat different: such a browser would block the download and in the frame on webvisor.com .

    This is the choice of the site owners in the frame, which is delivered through the HTTP response header of their site. For your part, you can do nothing with it.

    * This is if DENY . If SAMEORIGIN , then there is a ban on embedding everywhere except the pages of the same site.

      This site uses the Content Security Policy header.

      In which the frame-ancestors directive is used

      This directive specifies eligible parents who can embed this site using <frame> , <iframe> , <object> , <embed> or <applet> .

      In this case, the value used: frame-ancestors http://webvisor.com;

      What is allowed to embed the site only webvisor.com

        The problem is in special directives in the site headers.

        X-Frame-Options: SAMEORIGIN

        X-Frame-Options: DENY

        They prohibit this action.

        • And which site exactly? On which frame or where does the frame refer? - G.Denis
        • The one you are trying to load into the iframe (where the frame is going). - Ruslan