拒绝显示在框架中,因为祖先违反了以下内容安全策略指令 [英] Refused to display in a frame because an ancestor violates the following Content Security Policy directive
问题描述
我正在开发一个salesforce应用程序,该应用程序将在salesforce页面的iframe中呈现。使用节点快递服务器呈现此页面。作为安全性审查的一部分,我只想在salesforce页面中进行渲染,并在嵌入到其他任何位置时进行阻止。
I am developing a salesforce app which is rendered inside an iframe in salesforce page. Using node express server to render this page. As part of security review, i want to render only in salesforce page and block if embedded anywhere else.
为此,我添加了content-security-policy标头,如下所示:
For that, i have added content-security-policy header as below:
response.header( Content-Security-Policy, frame-ancestors salesforce.com);
但已被阻止salesforce页面。
But it is blocked on salesforce page too.
错误:
拒绝显示' https:// localhost:8000 / authenticate ,因为祖先违反了以下内容安全策略指令: frame-ancestors salesforce.com 。*
Refused to display 'https://localhost:8000/authenticate' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors salesforce.com".*
我的iframe呈现在其中的salesforce应用程序网址: https://ap4.salesforce.com/0016F00001vmoMu
salesforce app url where my iframe is rendering : https://ap4.salesforce.com/0016F00001vmoMu
我尝试将域指定为 * .salesforce.com
在指令中。
I tried giving domain as *.salesforce.com
in directives. But it didn't work either.
有人在我做错的地方可以帮我吗?
Can someone help me where i am doing wrong?
推荐答案
尝试删除https并添加子域,如
try to remove https and add subdomain like
add_header Content-Security-Policy "frame-src 'self' www.salesforce.com;"
这篇关于拒绝显示在框架中,因为祖先违反了以下内容安全策略指令的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!